Encrypted Bundles
End-to-end Encryption
Starting with version 4.15.0 the plugin allows you to send encrypted updates.
Step 1: Create a private key
npx @capgo/cli key create
Step 2: Create and zip your bundle
npx @capgo/cli bundle zip [appId] --key-v2 --json
The --key-v2
flag uses the new encryption system with better checksums, and the --json
flag will output the bundle information including the checksum that you’ll need for encryption.
Step 3: Encrypt your bundle
npx @capgo/cli encrypt [path/to/zip] [checksum]
The checksum
parameter is the SHA256 checksum generated by the zip command in step 2. The encrypt command will return an ivSessionKey
and generate an encrypted checksum.
Step 4: Use in your update payload
{"version": "1.2.3","url": "https://myserver.com/app/updates/my-new-app-2.0.0.zip","session_key": "encrypted_session_key","checksum": "encrypted_checksum_from_encrypt_command"}
The session_key
is the ivSessionKey
returned by the encrypt command, and the checksum
is the encrypted checksum generated during encryption (not the original checksum from the zip command).
Then your app will be able to use the private key to decrypt the session_key
and use the decrypted session_key
to decrypt the update. The encrypted checksum ensures bundle integrity verification.