Skip to content

Code Signing

Code signing is a security feature that allows you to verify the authenticity (1) and integrity (2) of your code. This is especially important when you are distributing your code to others, as it ensures that the code has not been tampered with or altered in any way.

  1. Authenticity means that the code comes from a trusted source and has not been tampered with.
  2. Integrity means that the code has not been corrupted during the download process.

Generate the key pair

To sign your code, you will need a key pair consisting of a private key and a public key. The private key is used to sign the code and should be kept secret, while the public key is used to verify the signature and can be shared with others.

You can generate a key pair using the Capawesome CLI:

npx @capawesome/cli apps:liveupdates:generatesigningkey

This will create two files:
- private.pem: Your private key file (2048-bit RSA key by default). Keep this file secure and do not share it with others.
- public.pem: Your public key file that will be used to verify bundle signatures.

You can optionally specify custom paths and key size:

npx @capawesome/cli apps:liveupdates:generatesigningkey --private-key-path=./keys/private.pem --public-key-path=./keys/public.pem --key-size=4096

Keep Your Private Key Safe

Make sure to keep your private key file secure and never commit it to version control. Add it to your .gitignore file to prevent accidental commits.

Create a signed bundle

To create a signed bundle on Capawesome Cloud, simply provide the path to the private key file using the --private-key option when creating the bundle using the Capawesome CLI:

npx @capawesome/cli apps:bundles:create --private-key private.pem

This will sign the bundle with the private key and upload it to the Capawesome Cloud.

Configure the plugin

To verify the signed bundle in your app, you will need to configure the Capacitor Live Update plugin with the public key. This can be done in the Capacitor Configuration file.

When you generate the key pair using the CLI, the command automatically outputs the configuration in the correct format:

{
  "plugins": {
    "LiveUpdate": {
      "publicKey": "-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDodf1SD0OOn6hIlDuKBza0Ed0OqtwyVJwiyjmE9BJaZ7y8ZUfcF+SKmd0l2cDPM45XIg2tAFux5n29uoKyHwSt+6tCi5CJA5Z1/1eZruRRqABLonV77KS3HUtvOgqRLDnKSV89dYZkM++NwmzOPgIF422mvc+VukcVOBfc8/AHQIDAQAB-----END PUBLIC KEY-----"
    }
  }
}

Simply copy this configuration from the CLI output and merge it into your existing Capacitor Configuration file.

If the plugin now downloads a bundle from the Capawesome Cloud, it will verify the signature using the public key and only apply the update if the signature is valid. This way, you can ensure that your app only receives updates that have been signed with your private key.

No Line Breaks Required

The publicKey value should NOT contain any line breaks. The CLI command automatically formats the publicKey value without line breaks, so you can copy and paste it directly from the output into your configuration.