You asked for it and now you’ve got it: it’s our pleasure to announce the release of the code signing feature today! Code signing lets developers sign application bundles and on download verify that these bundles haven’t been tampered with. Code signing can also be used to validate your identity. We take security seriously and we know that you do too.

How it works

First, you’ll generates an asymmetric key pair: the private key will be used for signing bundles; the public key for bundle signature verification. The CodePush cli then uses the private key to sign bundles during release and release-react commands. The public key is shipped with the mobile application. Control over the generation and management of keys is in the hands of the developer.

At the end of release command, the cli computes the bundle’s content hash and places this value into a JWT signed with the private key. When the codepush plugin downloads a bundle to a device, it checks the .codepushrelease file containing the JWT and validates the JWT signature using the public key. If validation fails, the update is not installed.

Moving Forward

Being a part of the open source community means that the CodePush team thrives on collaboration with our end users. This feature is a very important addition to CodePush and we would like your help to perfect it. Feel free to send suggestions to our email, ping us in the #code-push channel on Reactiflux (or React Native), or reach out via twitter. We look forward to you testing out this new feature and we welcome any feedback!

More information regarding Code Signing can be found here.