--- description: Sign Live Update bundles with an RSA key pair so your Capacitor or Cordova app only applies updates that come from you and haven't been tampered with. title: Sign Your Live Update Bundles - Capawesome image: https://capawesome.io/docs/assets/images/social/cloud/live-updates/code-signing.png --- [ Skip to content](#sign-your-bundles) [ 🔐 Introducing the **Capacitor Vault** plugin — store secrets behind biometrics or a device passcode.](/blog/announcing-the-capacitor-vault-plugin/) * [ SDKs ](/docs/sdks/) * [ Formbricks ](/docs/sdks/capacitor/formbricks/) * [ Geocoder ](/docs/sdks/capacitor/geocoder/) * [ Google Sign-In ](/docs/sdks/capacitor/google-sign-in/) * [ Grafana Faro ](/docs/sdks/capacitor/grafana-faro/) * [ libSQL ](/docs/sdks/capacitor/libsql/) * [ Live Update ](/docs/sdks/capacitor/live-update/) * [ Managed Configurations ](/docs/sdks/capacitor/managed-configurations/) * [ Media Session ](/docs/sdks/capacitor/media-session/) * [ ML Kit ](/docs/sdks/capacitor/mlkit/) * [ Navigation Bar ](/docs/sdks/capacitor/navigation-bar/) * [ NFC ](/docs/sdks/capacitor/nfc/) * [ OAuth ](/docs/sdks/capacitor/oauth/) * [ Pedometer ](/docs/sdks/capacitor/pedometer/) * [ Photo Editor ](/docs/sdks/capacitor/photo-editor/) * [ PostHog ](/docs/sdks/capacitor/posthog/) * [ Printer ](/docs/sdks/capacitor/printer/) * [ Purchases ](/docs/sdks/capacitor/purchases/) * [ RealtimeKit ](/docs/sdks/capacitor/realtimekit/) * [ Screen Orientation ](/docs/sdks/capacitor/screen-orientation/) * [ Screenshot ](/docs/sdks/capacitor/screenshot/) * [ Secure Preferences ](/docs/sdks/capacitor/secure-preferences/) * [ Speech Recognition ](/docs/sdks/capacitor/speech-recognition/) * [ Speech Synthesis ](/docs/sdks/capacitor/speech-synthesis/) * [ Share Target ](/docs/sdks/capacitor/share-target/) * [ Square Mobile Payments ](/docs/sdks/capacitor/square-mobile-payments/) * [ SQLite ](/docs/sdks/capacitor/sqlite/) * [ Superwall ](/docs/sdks/capacitor/superwall/) * [ Torch ](/docs/sdks/capacitor/torch/) * [ Vault ](/docs/sdks/capacitor/vault/) * [ Wifi ](/docs/sdks/capacitor/wifi/) * [ Zip ](/docs/sdks/capacitor/zip/) * [ Cordova ](/docs/sdks/cordova/) * [ Cloud ](/docs/cloud/) * [ Reduce Update Size ](/docs/cloud/live-updates/bundle-size/) * [ Self-Host Bundles ](/docs/cloud/live-updates/self-hosting/) * [ Manage Devices ](/docs/cloud/live-updates/devices/) * [ Integrations ](/docs/cloud/live-updates/integrations/) * Concepts * Reference * [ Troubleshooting ](/docs/cloud/live-updates/troubleshooting/) * [ FAQ ](/docs/cloud/live-updates/faq/) * [ Native Builds ](/docs/cloud/native-builds/) * [ Set Up Environments ](/docs/cloud/native-builds/environments/) * [ Overwrite Native Configurations ](/docs/cloud/native-builds/native-configurations/) * [ Auto-Increment Build Numbers ](/docs/cloud/native-builds/auto-incrementing-build-numbers/) * [ Configure the Web Build Script ](/docs/cloud/native-builds/web-build-script/) * [ Build from a Monorepo ](/docs/cloud/native-builds/monorepo/) * [ Use pnpm or Yarn ](/docs/cloud/native-builds/package-managers/) * [ Install Private npm Packages ](/docs/cloud/native-builds/npm-private-registry/) * [ Override the Java Version ](/docs/cloud/native-builds/override-java-version/) * [ Custom iOS Provisioning Profiles ](/docs/cloud/native-builds/custom-ios-provisioning-profiles/) * [ Build without Git ](/docs/cloud/native-builds/build-without-git/) * [ Access Git Behind a Firewall ](/docs/cloud/native-builds/firewall-access/) * [ Integrations ](/docs/cloud/native-builds/integrations/) * Reference * [ Troubleshooting ](/docs/cloud/native-builds/troubleshooting/) * [ FAQ ](/docs/cloud/native-builds/faq/) * [ App Store Publishing ](/docs/cloud/app-store-publishing/) * [ Submit a Build ](/docs/cloud/app-store-publishing/submit-a-build/) * [ Submit Automatically After a Build ](/docs/cloud/app-store-publishing/submit-automatically/) * [ Troubleshooting ](/docs/cloud/app-store-publishing/troubleshooting/) * [ FAQ ](/docs/cloud/app-store-publishing/faq/) * [ Automations ](/docs/cloud/automations/) * [ Reference ](/docs/cloud/automations/reference/) * [ Troubleshooting ](/docs/cloud/automations/troubleshooting/) * [ FAQ ](/docs/cloud/automations/faq/) * [ Assist ](/docs/cloud/assist/) * [ CLI ](/docs/cloud/cli/) * APIs and SDKs * [ Webhooks ](/docs/cloud/webhooks/) * [ Integrations ](/docs/cloud/integrations/) * Account * [ Organization ](/docs/cloud/organizations/) * [ Two-Factor Enforcement ](/docs/cloud/organizations/two-factor-authentication/) * [ Audit Logs ](/docs/cloud/organizations/audit-logs/) * [ Billing ](/docs/cloud/organizations/billing/) * [ License Keys ](/docs/cloud/license-keys/) * [ AI ](/docs/ai/) * [ Insiders ](/docs/insiders/) * [ Billing & Plans ](/docs/insiders/billing-and-plans/) * [ FAQ ](/docs/insiders/faq/) * [ License ](https://capawesome.io/legal/eula/) * [ Support ](/docs/support/) * [ Contributing ](/docs/contributing/) * Contributing code * [ Code of Conduct ](/docs/contributing/code-of-conduct/) * [ Questions ](https://docs.github.com/en/discussions/collaborating-with-your-community-using-discussions/participating-in-a-discussion#creating-a-discussion) * [ Blog ](/blog/) * Categories # Sign Your Bundles[¶](#sign-your-bundles "Permanent link") Code signing lets your app verify the **authenticity** and **integrity** of every Live Update before applying it — so only bundles you produced, unmodified, are ever installed. Even though delivery is over HTTPS, signing is defense in depth, and is required for [protected channels](/docs/cloud/live-updates/channels/#protected-channels). The mechanism is a standard RSA key pair: you sign each bundle with your **private** key when uploading, and your app verifies the signature with the embedded **public** key. ## Generate the key pair[¶](#generate-the-key-pair "Permanent link") Generate a key pair with the [Capawesome CLI](/docs/cloud/cli/): `[](#%5F%5Fcodelineno-0-1)npx @capawesome/cli apps:liveupdates:generatesigningkey ` This creates `private.pem` (keep it secret) and `public.pem`. You can customize the paths and key size: `[](#%5F%5Fcodelineno-1-1)npx @capawesome/cli apps:liveupdates:generatesigningkey --private-key-path=./keys/private.pem --public-key-path=./keys/public.pem --key-size=4096 ` Keep your private key safe Never commit your private key to version control — add `private.pem` to your `.gitignore`. ## Create a signed bundle[¶](#create-a-signed-bundle "Permanent link") Pass the private key with `--private-key` when uploading: `[](#%5F%5Fcodelineno-2-1)npx @capawesome/cli apps:liveupdates:upload --private-key private.pem ` ## Configure the public key[¶](#configure-the-public-key "Permanent link") Add the public key to your app's configuration so it can verify signatures. The `generatesigningkey` command prints the value preformatted (no line breaks) so you can paste it directly. CapacitorCordova capacitor.config.json `[](#%5F%5Fcodelineno-3-1){ [](#%5F%5Fcodelineno-3-2) "plugins": { [](#%5F%5Fcodelineno-3-3) "LiveUpdate": { [](#%5F%5Fcodelineno-3-4) "publicKey": "-----BEGIN PUBLIC KEY-----MIGf...IDAQAB-----END PUBLIC KEY-----" [](#%5F%5Fcodelineno-3-5) } [](#%5F%5Fcodelineno-3-6) } [](#%5F%5Fcodelineno-3-7)} ` config.xml `[](#%5F%5Fcodelineno-4-1) ` From now on, your app verifies every downloaded bundle and refuses to apply anything not signed by your private key. We strongly recommend enabling code signing in production, especially if you operate multiple channels or [self-host](/docs/cloud/live-updates/self-hosting/) your bundles. No line breaks The public key value must **not** contain line breaks. The CLI formats it correctly, so copy it directly from the output. ## Bonus: Video Walkthrough[¶](#bonus-video-walkthrough "Permanent link") June 8, 2026 Back to top