feat(remote-config): verify RC container signatures

[rickvdl]

Part of a stack of PRs, builds on #7022.

Matches the trusted-entitlements RC Container signing behavior from RevenueCat/purchases-android#3601.

Changes

• Implements response signature verification for the remote config endpoint
• As described in the backend spec this only validates the first element in the response (the config blob)
• Extracted the ElementParser out of the main RCContainer parser in order to reuse it during the signature validation for extracting the checksum
  • This is done in order to keep the RCContainer.Parser clean of any business knowledge about the config endpoint (handling the 0st element as the config blob in order to pull out it's checksum)
• In order to keep the HTTPClient generic and not assume RCContainer == config endpoint, i've introduced the ResponseSignatureContextProvider, which can give instruct the HTTP client on how to create and validate the signatures.
  • For the current JSON endpoint this means using the request body for the request signature, using the full body for the response signature and not overriding any result based on http status code
  • For the remote config endpoint this means no request signature, using only the checksum from the config blob (the first element in RCContainer format) and overriding the 204 status code to return .verified regardless
  • This should support the remote config case while keeping the HTTP client clear of any domain logic.

This is only unit tested so far, as we don't have a live endpoint to test against yet. But since it's unused it should not be a big deal for now.

Architecture

flowchart TD
    A["HTTPClient"] --> B{"ResponseSignatureContextProvider"}

    B -->|"Default provider"| C["Current JSON endpoints"]
    C --> D["Use response body as signature payload"]
    D --> E["Verify signature"]
    E --> F["Existing JSON decoding"]

    B -->|"Remote config provider"| G["RC Container endpoint"]
    G --> H["Read config element for signing"]
    H --> I["Validate config checksum"]
    I --> J["Use checksum as signature payload"]
    J --> K["Verify signature"]

    K --> L["RemoteConfigAPI"]
    L --> M["Parse full RCContainer"]
    M --> N["Return container + verification result"]

    O["RCContainer.ElementParser"]
    O -. "used by signing path" .-> H
    O -. "used by full container parser" .-> M

Loading

---

Note

High Risk
Changes security-critical response verification and remote config trust semantics; enforced mode can fail requests on bad or missing signatures, and the remote config callback type now includes verification outcome.

Overview
Enables backend response signature verification for the remote config endpoint and wires it through the existing HTTP signing pipeline without hard-coding RC Container logic in the generic client.

A new ResponseSignatureContextProvider on request paths supplies the signed response bytes and optional request body. Default endpoints still use the full response body and POST body; remote config uses RemoteConfigSignatureContextProvider, which signs the first element’s stored 24-byte config checksum (via a shared RCContainer.ElementParser), omits the request body from signing, and treats 204 No Content as a nil response message while still verifying headers.

Signing+ResponseVerification now builds the verify payload through that provider; payload derivation failures log and return .failed. Remote config is listed among paths that support verification (still no nonce). RemoteConfigAPI completions return RemoteConfigFetchResult (container + VerificationResult) instead of a bare optional container.

^{Reviewed by Cursor Bugbot for commit e633213. Bugbot is set up for automated code reviews on this repo. Configure here.}

[emerge-tools]

4 builds increased size

Name	Version	Download	Change	Install	Change	Approval
RevenueCat com.revenuecat.PaywallsTester	1.0 (1)	18.9 MB	⬆️ 7.8 kB (0.04%)	68.4 MB	⬆️ 34.0 kB (0.05%)	N/A
BinarySizeTest com.revenuecat.binary-size-test.local-source	1.0 (1)	4.4 MB	⬆️ 2.8 kB (0.07%)	13.1 MB	⬆️ 6.6 kB (0.05%)	N/A
BinarySizeTest com.revenuecat.binary-size-test.cocoapods	1.0 (1)	6.6 MB	⬆️ 4.0 kB (0.06%)	28.9 MB	⬆️ 15.2 kB (0.05%)	N/A
BinarySizeTest com.revenuecat.binary-size-test.spm	1.0 (1)	4.5 MB	⬆️ 4.4 kB (0.1%)	11.5 MB	⬆️ 7.2 kB (0.06%)	N/A

RevenueCat 1.0 (1)
com.revenuecat.PaywallsTester

⚖️ Compare build
⏱️ Analyze build performance

Total install size change: ⬆️ 34.0 kB (0.05%)
Total download size change: ⬆️ 7.8 kB (0.04%)

Largest size changes

Item	Install Size Change
DYLD.String Table	⬆️ 10.1 kB
DYLD.Exports	⬆️ 1.4 kB
Code Signature	⬆️ 832 B
Other	⬆️ 21.6 kB

View Treemap

BinarySizeTest 1.0 (1)
com.revenuecat.binary-size-test.local-source

⚖️ Compare build
📦 Install build
⏱️ Analyze build performance

Total install size change: ⬆️ 6.6 kB (0.05%)
Total download size change: ⬆️ 2.8 kB (0.07%)

Largest size changes

Item	Install Size Change
📝 RevenueCat.RCContainer.ElementParser.checksumString(in)	⬆️ 1.5 kB
🗑 RevenueCat.RCContainer.Parser.checksumString(in)	⬇️ -1.5 kB
📝 RevenueCat.RCContainer.ElementParser.base64URLString(in)	⬆️ 1.2 kB
🗑 RevenueCat.RCContainer.Parser.base64URLString(in)	⬇️ -1.2 kB
📝 RevenueCat.RemoteConfigFetchResult.value witness	⬆️ 984 B

View Treemap

BinarySizeTest 1.0 (1)
com.revenuecat.binary-size-test.cocoapods

⚖️ Compare build
📦 Install build
⏱️ Analyze build performance

Total install size change: ⬆️ 15.2 kB (0.05%)
Total download size change: ⬆️ 4.0 kB (0.06%)

Largest size changes

Item	Install Size Change
DYLD.String Table	⬆️ 5.1 kB
📝 RevenueCat.RCContainer.ElementParser.checksumString(in)	⬆️ 1.5 kB
🗑 RevenueCat.RCContainer.Parser.checksumString(in)	⬇️ -1.5 kB
📝 RevenueCat.RCContainer.ElementParser.base64URLString(in)	⬆️ 1.2 kB
🗑 RevenueCat.RCContainer.Parser.base64URLString(in)	⬇️ -1.2 kB

View Treemap

BinarySizeTest 1.0 (1)
com.revenuecat.binary-size-test.spm

⚖️ Compare build
📦 Install build
⏱️ Analyze build performance

Total install size change: ⬆️ 7.2 kB (0.06%)
Total download size change: ⬆️ 4.4 kB (0.1%)

Largest size changes

Item	Install Size Change
📝 RevenueCat.RCContainer.ElementParser.checksumString(in)	⬆️ 1.5 kB
🗑 RevenueCat.RCContainer.Parser.checksumString(in)	⬇️ -1.5 kB
📝 RevenueCat.RCContainer.ElementParser.base64URLString(in)	⬆️ 1.2 kB
🗑 RevenueCat.RCContainer.Parser.base64URLString(in)	⬇️ -1.2 kB
📝 RevenueCat.RemoteConfigFetchResult.value witness	⬆️ 984 B

View Treemap

---

🛸 Powered by Emerge Tools

[rickvdl]

@RCGitBot please test

[rickvdl]

Stack:

• Make LargeItemCache writes atomic #7081
• feat(remote-config): switch config request to v1 and send app user id #7080
• feat(remote-config): store inlined blobs to disk #7073
• refactor(remote-config): make rc container validation domain-specific #7074
• feat(remote-config): add RemoteConfigManager #7067
• feat(remote-config): add manifest disk persistence #7076
• feat(remote-config): verify RC container signatures #7046 👈 (current PR)
• main

[rickvdl]

@RCGitBot please test

[rickvdl]

@RCGitBot please test

[ajpallares]

Some initial comments! But looking great so far. I'll keep reviewing now...

[ajpallares]

Hmm seeing the khepri spec, I actually think that the signature in this case covers the request context:

Empty; the signature still covers the request context (api key, nonce, path, request time), so the response is replay- and tamper-evident.

So I think there's some signature verification to do here?

[rickvdl]

Good catch! I'll verify this

[rickvdl]

As discussed we've updated the implementation to verify the request signature as described in the spec, change here

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 008b656. Configure here.}

[rickvdl]

@RCGitBot please test

[rickvdl]

@RCGitBot please test

[rickvdl]

@RCGitBot please test

[rickvdl]

@RCGitBot please test

[tonidero]

This is looking great to me! Amazing job with that abstraction!

[ajpallares]

Thanks for iterating on this! Looks great!

[rickvdl]

@RCGitBot please test