fix(server): restore cache response signatures

Metadata

Source

tuist/tuist #11026

Updated

Jun 24, 2026

Domains

Kura

Details

Summary

Restore x-tuist-signature on central Tuist cache responses when the request carries a cache hash.
Add controller coverage for signed cache download and cache action item responses.

Why

Zillow reported cache downloads failing with Invalid or missing signature from cache server. CLI 4.193.4 still verifies cache responses with SignatureVerifierMiddleware, but PR #10899 removed response signing from the central cache controller. Unsigned responses are rejected by those clients even when the cache artifact itself is valid.

Root Cause

The central Tuist cache API stopped emitting x-tuist-signature for hash-addressed cache responses while signed-response clients were still in use.

Validation

mix test test/tuist_web/controllers/api/cache_controller_test.exs
git diff --check HEAD~1

Comments

TA

tuist-atlas[bot] Jun 3, 2026

The cache response signatures fix is now available in server@1.204.0. Update to use this fix.

TA

tuist-atlas[bot] Jun 5, 2026

The changes from this PR are now available in release xcresult-processor-image@0.11.0. Cache response signatures have been restored.