Guidepoint: Enhancement - Bundle Integrity Check#1992
Merged
JohnathanWhite merged 3 commits intobitpay:masterfrom Mar 3, 2026
Merged
Guidepoint: Enhancement - Bundle Integrity Check#1992JohnathanWhite merged 3 commits intobitpay:masterfrom
JohnathanWhite merged 3 commits intobitpay:masterfrom
Conversation
JohnathanWhite
force-pushed
the
feat/gp/integrity-check
branch
from
8520ea0 to
5c9d90d
Compare
cmgustavo
previously approved these changes
Jan 27, 2026
Member
cmgustavo
left a comment
cmgustavo
left a comment
There was a problem hiding this comment.
LGTM! 👍🏼
DEV is skipped (normal build)
PROD requires RN_BUNDLE_HASH
cmgustavo
previously approved these changes
Jan 27, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a React Native bundle integrity check to detect tampering by hashing the shipped JS bundle at build time and verifying it at runtime on iOS and Android.
Changes:
- iOS: add a build-phase script to compute SHA-256 for
main.jsbundleand inject it into the builtInfo.plist; verify at launch inAppDelegate. - Android: add a verifier that hashes
index.android.bundleat runtime; attempt to compute/write a build-time hash via Gradle and compare againstBuildConfig. - Add
RNBundleHashto iOSInfo.plistand wire early verification in AndroidMainActivity.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| ios/scripts/inject-bundle-hash.sh | New build-phase script to compute bundle SHA-256 and write it into the built Info.plist. |
| ios/Podfile | Adds an Xcode build phase via CocoaPods to run the hash injection script. |
| ios/BitPayApp/Info.plist | Adds RNBundleHash key intended to hold the expected hash. |
| ios/BitPayApp/AppDelegate.swift | Computes SHA-256 of the bundled JS and blocks launch on mismatch. |
| android/app/src/main/java/com/bitpay/wallet/MainActivity.kt | Runs integrity verification before continuing app initialization. |
| android/app/src/main/java/com/bitpay/wallet/BundleIntegrityVerifier.kt | New Android implementation of bundle hashing + comparison + blocking UI. |
| android/app/build.gradle | Adds RN_BUNDLE_HASH BuildConfig field and a task hook to compute/write the bundle hash post-bundle. |
Comments suppressed due to low confidence (1)
ios/Podfile:38
- There appears to be an extra
endat line 93.target 'BitPayApp' doshould only need a single correspondingend; the additionalendwill break Podfile parsing or close an outer block unexpectedly. Remove the superfluousend(or adjust block structure so the number ofdo/endpairs matches).
target 'BitPayApp' do
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JohnathanWhite
changed the title
JohnathanWhite
force-pushed
the
feat/gp/integrity-check
branch
from
acdd8c2 to
0f2ad47
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
gabrielbazan7
approved these changes
Mar 2, 2026
Collaborator
gabrielbazan7
left a comment
gabrielbazan7
left a comment
There was a problem hiding this comment.
Tested on Android emulator and iOS simulator, tampered the bundle on both and the security warning showed up correctly
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GP-12