Guide: Update Signing
By default JWrapper doesn't try to authenticate your updates. This means that for security reasons its best to use SSL for your update URL. This authenticates your website as being who it says it is and means that an installed app will only download updates from a site which SSL certificate authorities have authorised as being your site.
Unfortunately SSL certificate authorities leave a lot to be desired. There have been various breaches in the past years which have greatly diminished the security of the SSL certificate system. This plus the additional cost of purchasing and maintaining an SSL certificate and SSL web access for your site make it an option only when necessary.
Unfortunately SSL certificate authorities leave a lot to be desired. There have been various breaches in the past years which have greatly diminished the security of the SSL certificate system. This plus the additional cost of purchasing and maintaining an SSL certificate and SSL web access for your site make it an option only when necessary.
Secure Authorised Updates Only
JWrapper allows you to authorise all your app updates in a much simpler, more cost effective and more secure way. By adding just one line to your JWrapper build XML:
<DigitalSignatureKeys mayCreate='yes'>../path/to/mykeystore.keys</DigitalSignatureKeys>
JWrapper will automatically create or load a very high strength and 100% private 4096-bit RSA key pair to represent you as an author. This key pair is then used in combination with similarly high strength SHA3 and SHA256 hashing to sign all your app updates with your private key.
Once you have run a build and JWrapper has created your RSA keys you can then back them up and keep them private and use them in any future builds.
When your app is built with this option and downloaded it will require that any updates (either downloads of the current version for the Online build or future downloads of new versions) also be signed with your unique key. Any updates that aren't signed with your secure keys will be refused and ignored meaning you will have sole authority to issue new updates to your installed app base, with or without SSL.
The mayCreate='yes' option allows JWrapper to create you a new key pair if you don't already have one. Once you do have your key pair and have backed it up you can change this to 'no' to ensure JWrapper will produce an error if your keys are missing in a future build rather than creating a new key pair.
<DigitalSignatureKeys mayCreate='yes'>../path/to/mykeystore.keys</DigitalSignatureKeys>
JWrapper will automatically create or load a very high strength and 100% private 4096-bit RSA key pair to represent you as an author. This key pair is then used in combination with similarly high strength SHA3 and SHA256 hashing to sign all your app updates with your private key.
Once you have run a build and JWrapper has created your RSA keys you can then back them up and keep them private and use them in any future builds.
When your app is built with this option and downloaded it will require that any updates (either downloads of the current version for the Online build or future downloads of new versions) also be signed with your unique key. Any updates that aren't signed with your secure keys will be refused and ignored meaning you will have sole authority to issue new updates to your installed app base, with or without SSL.
The mayCreate='yes' option allows JWrapper to create you a new key pair if you don't already have one. Once you do have your key pair and have backed it up you can change this to 'no' to ensure JWrapper will produce an error if your keys are missing in a future build rather than creating a new key pair.