At our demo repo on GitHub you can find "push-notifications" branch. There is sample of how to decrypt messages, received in background. Please, focus on Notification Extension target.
To setup up notifications, you can use Firebase Cloud Messaging.
Note, that since this version of demo uses UID as identities of users, those UIDs are saved at Firestore database and push notification contains UID of the receiver. Moreover, Firestore User entity now has "registration_token" field. Server side (function) needs that token to deliver messages to separate device(s). It's described here.
Firebase also provide sending notifications by topics (follow the link).
The last step is creating Notification Service Extension as a new target of a project. It helps to catch, decrypt and change notification body to decrypted texts. The example of it you can find here.
Note that to retrieve receiver's key from a keychain, the Keychain Sharing capability must be turned on at both targets and contains the same keychain group.
This example contains decryption, but not verifying, since it needs sender's card. Making search on every notification is obviously inconvenient, so some shared storage with cached is needed.
P.S.: Here we fully described a decryption process, but still have some issues with notification managing (e.g. user has only one registration token per account and messages are received by any account on device).