Skip to content

Encrypted Bundles

End-to-end Encryption

Starting with version 4.15.0 the plugin allows you to send encrypted updates.

Step 1: Create a private key

Create a private key
npx @capgo/cli key create

Step 2: Create and zip your bundle

Create bundle zip with checksum
npx @capgo/cli bundle zip [appId] --key-v2 --json

The --key-v2 flag uses the new encryption system with better checksums, and the --json flag will output the bundle information including the checksum that you’ll need for encryption.

Step 3: Encrypt your bundle

Encrypt bundled zip with checksum
npx @capgo/cli encrypt [path/to/zip] [checksum]

The checksum parameter is the SHA256 checksum generated by the zip command in step 2. The encrypt command will return an ivSessionKey and generate an encrypted checksum.

Step 4: Use in your update payload

{
"version": "1.2.3",
"url": "https://myserver.com/app/updates/my-new-app-2.0.0.zip",
"session_key": "encrypted_session_key",
"checksum": "encrypted_checksum_from_encrypt_command"
}

The session_key is the ivSessionKey returned by the encrypt command, and the checksum is the encrypted checksum generated during encryption (not the original checksum from the zip command).

Then your app will be able to use the private key to decrypt the session_key and use the decrypted session_key to decrypt the update. The encrypted checksum ensures bundle integrity verification.

Learn More