Code Signing
Code signing creates digital signatures for bundles, verified on client before installation. Prevents man-in-the-middle attacks.
How It Works
First, the developer generates an asymmetric key pair: the private key will be used for signing bundles; the public key for bundle signature verification. The Turbopush CLI then uses the private key to sign bundles during release-react command. The public key is shipped with the mobile application. Control over the generation and management of keys is in the hands of the developer.
At the end of release command, the cli computes the bundle's content hash and places this value into a JWT signed with the private key. When the Turbopush plugin downloads a bundle to a device, it checks the release file containing the JWT and validates the JWT signature using the public key. If validation fails, the update is not installed.
Setup
- Update your app binary with the Turbopush SDK configured with your public key:
- Release updates with
--privateKeyPath(or-k)
Note: Before releasing a signed update, make sure the targeting version of your app already includes the public key configuration. Otherwise, devices running older versions will not be able to install signed updates, as they cannot validate the signature.
Key Generation
openssl genrsa -out private.pem
openssl rsa -pubout -in private.pem -out public.pem
Releasing
npx turbopush release-react myapp-ios ios -k ./private.pem
FAQ
| Scenario | Result |
|---|---|
| Updated CLI but don't want code signing | No impact. Feature is optional. |
| Public key configured but forgot to sign release | Update rejected. Release again with private key. |
| Signed update but app has outdated/no public key | Update rejected. Ensure app has matching public key. |
| Lost private key | Generate new key pair, release new binary with new public key, then release updates with new private key. |