Skip to content
Capgo

Encrypted Bundles

End-to-end Encryption

Section titled “End-to-end Encryption”

Starting with version 4.15.0 the plugin allows you to send encrypted updates.

Step 1: Create a private key

Section titled “Step 1: Create a private key”
Create a private key
npx @capgo/cli key create

Step 2: Create and zip your bundle

Section titled “Step 2: Create and zip your bundle”
Create bundle zip with checksum
npx @capgo/cli bundle zip [appId] --key-v2 --json

The --key-v2 flag uses the new encryption system with better checksums, and the --json flag will output the bundle information including the checksum that you’ll need for encryption.

Step 3: Encrypt your bundle

Section titled “Step 3: Encrypt your bundle”
Encrypt bundled zip with checksum
npx @capgo/cli encrypt [path/to/zip] [checksum]

The checksum parameter is the SHA256 checksum generated by the zip command in step 2. The encrypt command will return an ivSessionKey and generate an encrypted checksum.Remember to rename ivSessionKey key as session_key in the update payload.

Step 4: Use in your update payload

Section titled “Step 4: Use in your update payload”
{
"version": "1.2.3",
"url": "https://myserver.com/app/updates/my-new-app-2.0.0.zip",
"session_key": "encrypted_session_key",
"checksum": "encrypted_checksum_from_encrypt_command"
}

The session_key is the ivSessionKey returned by the encrypt command, and the checksum is the encrypted checksum generated during encryption (not the original checksum from the zip command).

Then your app will be able to use the private key to decrypt the session_key and use the decrypted session_key to decrypt the update. The encrypted checksum ensures bundle integrity verification.

Learn More

Section titled “Learn More”
End-to-End Encryption Guide Deep dive into how Capgo's encryption system works with RSA + AES cryptography
Self-hosted Live Updates Complete workflow for setting up self-hosted updates