Sign Your Bundles¶
Code signing lets your app verify the authenticity and integrity of every Live Update before applying it — so only bundles you produced, unmodified, are ever installed. Even though delivery is over HTTPS, signing is defense in depth, and is required for protected channels.
The mechanism is a standard RSA key pair: you sign each bundle with your private key when uploading, and your app verifies the signature with the embedded public key.
Generate the key pair¶
Generate a key pair with the Capawesome CLI:
This creates private.pem (keep it secret) and public.pem. You can customize the paths and key size:
npx @capawesome/cli apps:liveupdates:generatesigningkey --private-key-path=./keys/private.pem --public-key-path=./keys/public.pem --key-size=4096
Keep your private key safe
Never commit your private key to version control — add private.pem to your .gitignore.
Create a signed bundle¶
Pass the private key with --private-key when uploading:
Configure the public key¶
Add the public key to your app's configuration so it can verify signatures. The generatesigningkey command prints the value preformatted (no line breaks) so you can paste it directly.
From now on, your app verifies every downloaded bundle and refuses to apply anything not signed by your private key. We strongly recommend enabling code signing in production, especially if you operate multiple channels or self-host your bundles.
No line breaks
The public key value must not contain line breaks. The CLI formats it correctly, so copy it directly from the output.