Skip to content

Sign Your Bundles

Code signing lets your app verify the authenticity and integrity of every Live Update before applying it — so only bundles you produced, unmodified, are ever installed. Even though delivery is over HTTPS, signing is defense in depth, and is required for protected channels.

The mechanism is a standard RSA key pair: you sign each bundle with your private key when uploading, and your app verifies the signature with the embedded public key.

Generate the key pair

Generate a key pair with the Capawesome CLI:

npx @capawesome/cli apps:liveupdates:generatesigningkey

This creates private.pem (keep it secret) and public.pem. You can customize the paths and key size:

npx @capawesome/cli apps:liveupdates:generatesigningkey --private-key-path=./keys/private.pem --public-key-path=./keys/public.pem --key-size=4096

Keep your private key safe

Never commit your private key to version control — add private.pem to your .gitignore.

Create a signed bundle

Pass the private key with --private-key when uploading:

npx @capawesome/cli apps:liveupdates:upload --private-key private.pem

Configure the public key

Add the public key to your app's configuration so it can verify signatures. The generatesigningkey command prints the value preformatted (no line breaks) so you can paste it directly.

capacitor.config.json
{
  "plugins": {
    "LiveUpdate": {
      "publicKey": "-----BEGIN PUBLIC KEY-----MIGf...IDAQAB-----END PUBLIC KEY-----"
    }
  }
}
config.xml
<preference name="PUBLIC_KEY" value="-----BEGIN PUBLIC KEY-----MIGf...IDAQAB-----END PUBLIC KEY-----" />

From now on, your app verifies every downloaded bundle and refuses to apply anything not signed by your private key. We strongly recommend enabling code signing in production, especially if you operate multiple channels or self-host your bundles.

No line breaks

The public key value must not contain line breaks. The CLI formats it correctly, so copy it directly from the output.

Bonus: Video Walkthrough