Skip to content

Code Signing

Code signing is a security feature that allows you to verify the authenticity (1) and integrity (2) of your code. This is especially important when you are distributing your code to others, as it ensures that the code has not been tampered with or altered in any way.

  1. Authenticity means that the code comes from a trusted source and has not been tampered with.
  2. Integrity means that the code has not been corrupted during the download process.

Generate the key pair

To sign your code, you will need a key pair consisting of a private key and a public key. The private key is used to sign the code and should be kept secret, while the public key is used to verify the signature and can be shared with others.

You can generate a key pair using the openssl command-line tool. First, generate the private key:

openssl genrsa -out keypair.pem 2048

This will create a private key file called keypair.pem with a key length of 2048 bits. Make sure to keep this file secure and do not share it with others.

Next, extract the public key from the private key:

openssl rsa -in keypair.pem -pubout -out publickey.crt

This will create a public key file called publickey.crt.

Create a signed bundle

To create a signed bundle on Capawesome Cloud, simply provide the path to the private key file using the --private-key option when creating the bundle using the Capawesome CLI:

npx capawesome apps:bundles:create --private-key keypair.pem

This will sign the bundle with the private key and upload it to the Capawesome Cloud.

Configure the plugin

To verify the signed bundle in your app, you will need to configure the Capacitor Live Update plugin with the public key. This can be done in the Capacitor Configuration file:

{
  "plugins": {
    "LiveUpdate": {
      "publicKey": "-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDodf1SD0OOn6hIlDuKBza0Ed0OqtwyVJwiyjmE9BJaZ7y8ZUfcF+SKmd0l2cDPM45XIg2tAFux5n29uoKyHwSt+6tCi5CJA5Z1/1eZruRRqABLonV77KS3HUtvOgqRLDnKSV89dYZkM++NwmzOPgIF422mvc+VukcVOBfc8/AHQIDAQAB-----END PUBLIC KEY-----"
    }
  }
}

If the plugin now downloads a bundle from the Capawesome Cloud, it will verify the signature using the public key and only apply the update if the signature is valid. This way, you can ensure that your app only receives updates that have been signed with your private key.