[Service] Ignore .codepushrelease when computing package hash

DmitriyKirakosyan · lucen-ms · commit fac126c887e4 · 2024-12-23T15:39:02.000+01:00
This change fixes the error: CodePushInvalidUpdateException: The update
contents failed the data integrity check.
diff --git a/api/script/utils/hash-utils.ts b/api/script/utils/hash-utils.ts
@@ -28,6 +28,8 @@ try {
 import Promise = q.Promise;
 const HASH_ALGORITHM = "sha256";
 
+const CODEPUSH_METADATA = '.codepushrelease';
+
 export function generatePackageHashFromDirectory(directoryPath: string, basePath: string): Promise<string> {
   if (!fs.lstatSync(directoryPath).isDirectory()) {
     throw new Error("Not a directory. Please either create a directory, or use hashFile().");
@@ -187,7 +189,14 @@ export class PackageManifest {
   public computePackageHash(): Promise<string> {
     let entries: string[] = [];
     this._map.forEach((hash: string, name: string): void => {
-      entries.push(name + ":" + hash);
+      // .codepushrelease (relates to code signing feature) file
+      // should not be skipped in isIgnored() method.
+      // But to be equal with hashes computed in SDKs and CLI this file
+      // should be skipped when computing whole package hash
+
+      if (name !== CODEPUSH_METADATA && !endsWith(name, '/' + CODEPUSH_METADATA)) {
+        entries.push(name + ':' + hash);
+      }
     });
 
     // Make sure this list is alphabetically ordered so that other clients
diff --git a/cli/README.md b/cli/README.md
@@ -772,3 +772,60 @@ code-push-standalone deployment clear <appName> <deploymentName>
 ```
 
 After running this command, client devices configured to receive updates using its associated deployment key will no longer receive the updates that have been cleared. This command is irreversible, and therefore should not be used in a production deployment.
+
+## Code Signing for CodePush
+
+Code Signing ensures that updates deployed via CodePush are secure and verified. Follow these steps to set up Code Signing:
+
+### 1. Generate a Signing Key
+
+**Create private and public keys using OpenSSL:**
+
+```shell
+# generate private RSA key and write it to private.pem file
+openssl genrsa -out private.pem
+
+# export public key from private.pem into public.pem
+openssl rsa -pubout -in private.pem -out public.pem
+```
+
+### 2. Configure CodePush CLI
+
+**Specify the path to your private key when releasing updates:**
+
+```shell
+code-push-standalone release-react <appName> <platform> --privateKeyPath private.pem
+```
+
+### 3. Configure Your App
+
+#### iOS
+
+**Add the public key to your `Info.plist`:**
+
+- Open your `Info.plist` file.
+- Add a new entry:
+
+    ```xml
+    <key>CodePushPublicKey</key>
+    <string>-----BEGIN PUBLIC KEY-----
+    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
+    -----END PUBLIC KEY-----</string>
+    ```
+
+Replace the placeholder with the actual contents of your `public.pem` file.
+
+#### Android
+
+**Add the public key to your `strings.xml`:**
+
+- Open `res/values/strings.xml`.
+- Add the following entry:
+
+    ```xml
+    <string name="CodePushPublicKey">-----BEGIN PUBLIC KEY-----
+    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
+    -----END PUBLIC KEY-----</string>
+    ```
+
+Replace the placeholder with the actual contents of your `public.pem` file.
