Skip to content

feat(CodeSigningPlugin): multiple public keys support#1382

Open
MikitasK wants to merge 11 commits intocallstack:mainfrom
MikitasK:feat/multiple-public-keys
Open

feat(CodeSigningPlugin): multiple public keys support#1382
MikitasK wants to merge 11 commits intocallstack:mainfrom
MikitasK:feat/multiple-public-keys

Conversation

@MikitasK
Copy link
Copy Markdown

@MikitasK MikitasK commented Apr 21, 2026
edited
Loading

Summary

Closes #826

The PR adds support for passing a per-script publicKey through ScriptManager resolver output, so signed bundles can be verified with a runtime-provided public key instead of only the app-embedded RepackPublicKey.

This solves the multi-team / multi-miniapp use case described in the issue:

  • - different teams can sign bundles with different private keys
  • - the host app can fetch the matching public key for a given script from its backend
  • - Re.Pack verifies that script with the provided key
  • - when publicKey is omitted, existing behavior is preserved and Re.Pack falls back to RepackPublicKey

Implementation notes:

  • - adds optional publicKey string to ScriptLocator
  • - threads it through JS normalization & native ScriptManager on Android and iOS
  • - keeps existing verifyScriptSignature: 'strict' | 'lax' | 'off' behavior intact
  • - includes cache metadata updates so changing publicKey invalidates the cached script config
  • - adds docs/examples for the new resolver pattern

Test plan

Test Plan

  1. Run automated checks:
   pnpm --filter @callstack/repack typecheck
   pnpm --filter @callstack/repack test -- --watchman=false ScriptManager.test.ts
  1. Manually verify the change with a local test app by returning publicKey from a ScriptManager resolver together with verifyScriptSignature: 'strict'
  2. Confirm that a valid publicKey allows the signed bundle to load on iOS and Android
  3. Confirm that an invalid publicKey fails verification on iOS and Android
  4. Confirm that omitting publicKey still uses the existing RepackPublicKey fallback behavior

Recordings

Android

android.mp4

iOS

ios.mp4

JS side publicKey validation (both platforms)

Screen.Recording.2026-04-22.at.16.08.28.mp4

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 21, 2026

@MikitasK is attempting to deploy a commit to the Callstack Team on Vercel.

A member of the Team first needs to authorize it.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 21, 2026
edited
Loading

🦋 Changeset detected

Latest commit: a8b4038

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages
Name Type
@callstack/repack Major
@callstack/repack-plugin-expo-modules Major
@callstack/repack-plugin-nativewind Major
@callstack/repack-plugin-reanimated Major
@callstack/repack-dev-server Major
@callstack/repack-init Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bartekkrok bartekkrok bartekkrok approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support bundle verification with multiple public keys

2 participants

@MikitasK @bartekkrok