At present JWrapper doesn't sign updates for apps which means we recommend everyone distribute them over HTTPS. This means that the website's authenticity will be verified before the update is downloaded.
Recently though SSL has had some major problems which have put some dents in it and may have compromised sites even after everyone has updated. Further, SSL has always been a pain to set up and use, jumping through hoops to get a certificate, paying for it (with sky high prices for the newer EV certificates) and then installing it properly on your web server, if you even have that option.
But, since we are in the business of making developers lives easier and since its been requested on our forums this has been an important feature for us to add to JWrapper. As ever we wanted to make it as simple and easy to use as possible. Therefore in the upcoming release you will be able to add this one line to your builds to get JWrapper to automatically and securely generate a 4096-bit RSA key pair with which to sign your builds. The key pair will be saved into a keystore file that you specify and you can then copy it around to other builds to have them use the same authentication:
When specified JWrapper will load or create these keys, then sign all updates you create using a combined SHA256 and SHA3 hash and your RSA 4096 keys. The public key will be embedded in your app installer (or update if you are just releasing a new version rather than a new app) and will be used to verify all future updates of your app. On Windows and Mac if you are producing OS-signed code the public key will be embedded in a part of your app that is signed to give you further protection.
Because the key pair generated is 100% private and local to you, you don't have to go and buy a code signing certificate from an issuing authority for hundreds of dollars. Similarly, because there is no issuing authority that can be compromised so you don't need to worry about an SSL provider somewhere being hacked and issuing a fraudulent certificate to impersonate you. As long as your keys are safe, you can be confident that only you can issue updates that will be accepted by your app.