@capgo/cli 4.2.3 → 5.0.0-alpha.3

package/README.md

@@ -128,8 +128,8 @@ Optionally, you can give:
 * `--path [/path/to/my/bundle]` to upload a specific folder.
 * `--channel [test]` to upload to a specific channel.
 * `--external="https://mydomain.com/myapp.zip"` to link to an external URL instead of upload to Capgo cloud, it should be a zip URL in HTTPS.
-* `--key [/path/to/my/private_key]` the path of your private key.
-* `--key-data [privateKey]` the private key data, if you want to use inline.
+* `--key [/path/to/my/public_key]` the path of your public key.
+* `--key-data [publicKey]` the public key data, if you want to use inline.
 * `--no-key` to ignore the signing key and send clear update.
 * `--bundle [1.0.0]` to set the bundle version number of the file to upload.
 * `--iv-session-key [key]` to send a custom session key to the cloud.
@@ -217,9 +217,9 @@ The command will print your `ivSessionKey`y and generate an encrypted zip, to us
 
 Optionally, you can give:
 
-`--key [/path/to/my/private_key]` the path of your private key.
+`--key [/path/to/my/public_key]` the path of your public key.
 
-`--key-data [privateKey]` the private key data, if you want to use inline. This command is mainly used for test purpose, it will decrypt the zip and print the base64 decrypted session key in the console.
+`--key-data [publicKey]` the public key data, if you want to use inline. This command is mainly used for test purpose, it will decrypt the zip and print the base64 decrypted session key in the console.
 
 ### **Zip**
 
@@ -304,9 +304,9 @@ Optionally, you can give: `--force` to overwrite the existing key. This command
 
 Optionally, you can give:
 
-`--key [/path/to/my/private_key]` the path of your private key.
+`--key [/path/to/my/public_key]` the path of your public key.
 
-`--key-data [privateKey]` the private key data, if you want to use inline. This command is useful if you followed the recommendation and didn't commit the key in your app, and in the config.
+`--key-data [publicKey]` the public key data, if you want to use inline. This command is useful if you followed the recommendation and didn't commit the key in your app, and in the config.
 ## Dev contribution
 
 1. Install development dependencies

package/dist/index.js

@@ -61137,7 +61137,7 @@ var {
 // package.json
 var package_default = {
   name: "@capgo/cli",
-  version: "4.2.3",
+  version: "5.0.0-alpha.3",
   description: "A CLI to upload to capgo servers",
   main: "dist/index.js",
   bin: {
@@ -62565,6 +62565,19 @@ async function findMainFile() {
   }
   return mainFile;
 }
+async function checKOldEncryption() {
+  const config = await getConfig();
+  const { extConfig } = config.app;
+  const hasPrivateKeyInConfig = !!extConfig?.plugins?.CapacitorUpdater?.privateKey;
+  const hasPublicKeyInConfig = !!extConfig?.plugins?.CapacitorUpdater?.publicKey;
+  if (hasPrivateKeyInConfig)
+    f2.warning(`You still have privateKey in the capacitor config, this is deprecated, please remove it`);
+  f2.warning(`Encryption with private will be ignored`);
+  if (!hasPublicKeyInConfig) {
+    f2.warning(`publicKey not found in capacitor config, please run npx @capgo/cli key save`);
+    program.error("");
+  }
+}
 async function updateOrCreateVersion(supabase, update) {
   return supabase.from("app_versions").upsert(update, { onConflict: "name,app_id" }).eq("app_id", update.app_id).eq("name", update.name);
 }
@@ -63144,16 +63157,14 @@ var import_config2 = __toESM(require_config());
 var import_node_crypto2 = require("node:crypto");
 var import_node_buffer2 = require("node:buffer");
 var algorithm = "aes-128-cbc";
-var oaepHash = "sha256";
 var formatB64 = "base64";
-var padding = import_node_crypto2.constants.RSA_PKCS1_OAEP_PADDING;
-function decryptSource(source, ivSessionKey, privateKey) {
+var padding = import_node_crypto2.constants.RSA_PKCS1_PADDING;
+function decryptSource(source, ivSessionKey, key2) {
   const [ivB64, sessionb64Encrypted] = ivSessionKey.split(":");
-  const sessionKey = (0, import_node_crypto2.privateDecrypt)(
+  const sessionKey = (0, import_node_crypto2.publicDecrypt)(
     {
-      key: privateKey,
-      padding,
-      oaepHash
+      key: key2,
+      padding
     },
     import_node_buffer2.Buffer.from(sessionb64Encrypted, formatB64)
   );
@@ -63163,17 +63174,16 @@ function decryptSource(source, ivSessionKey, privateKey) {
   const decryptedData = import_node_buffer2.Buffer.concat([decipher.update(source), decipher.final()]);
   return decryptedData;
 }
-function encryptSource(source, publicKey) {
+function encryptSource(source, key2) {
   const initVector = (0, import_node_crypto2.randomBytes)(16);
   const sessionKey = (0, import_node_crypto2.randomBytes)(16);
   const cipher = (0, import_node_crypto2.createCipheriv)(algorithm, sessionKey, initVector);
   cipher.setAutoPadding(true);
   const ivB64 = initVector.toString(formatB64);
-  const sessionb64Encrypted = (0, import_node_crypto2.publicEncrypt)(
+  const sessionb64Encrypted = (0, import_node_crypto2.privateEncrypt)(
     {
-      key: publicKey,
-      padding,
-      oaepHash
+      key: key2,
+      padding
     },
     sessionKey
   ).toString(formatB64);
@@ -63207,18 +63217,28 @@ async function saveKey(options, log = true) {
     oe(`Save keys \u{1F511}`);
   const config = await getConfig();
   const { extConfig } = config.app;
-  const keyPath = options.key || baseKey;
-  let privateKey = options.keyData || "";
-  if (!(0, import_node_fs7.existsSync)(keyPath) && !privateKey) {
+  const keyPath = options.key || baseKeyPub;
+  let publicKey = options.keyData || "";
+  if (!(0, import_node_fs7.existsSync)(keyPath) && !publicKey) {
     if (log) {
-      f2.error(`Cannot find public key ${keyPath} or as keyData option or in ${config.app.extConfigFilePath}`);
+      f2.error(`Cannot find a public key at ${keyPath} or as keyData option or in ${config.app.extConfigFilePath}`);
       program.error("");
     } else {
       return false;
     }
   } else if ((0, import_node_fs7.existsSync)(keyPath)) {
     const keyFile = (0, import_node_fs7.readFileSync)(keyPath);
-    privateKey = keyFile.toString();
+    publicKey = keyFile.toString();
+  }
+  if (publicKey) {
+    if (!publicKey.startsWith("-----BEGIN RSA PUBLIC KEY-----")) {
+      if (log) {
+        f2.error(`the public key provided is not a valid RSA Public key`);
+        program.error("");
+      } else {
+        return false;
+      }
+    }
   }
   if (extConfig) {
     if (!extConfig.plugins) {
@@ -63229,11 +63249,13 @@ async function saveKey(options, log = true) {
     }
     if (!extConfig.plugins.CapacitorUpdater)
       extConfig.plugins.CapacitorUpdater = {};
-    extConfig.plugins.CapacitorUpdater.privateKey = privateKey;
+    if (extConfig.plugins.CapacitorUpdater.privateKey)
+      delete extConfig.plugins.CapacitorUpdater.privateKey;
+    extConfig.plugins.CapacitorUpdater.publicKey = publicKey;
     (0, import_config2.writeConfig)(extConfig, config.app.extConfigFilePath);
   }
   if (log) {
-    f2.success(`private key saved into ${config.app.extConfigFilePath} file in local directory`);
+    f2.success(`public key saved into ${config.app.extConfigFilePath} file in local directory`);
     f2.success(`your app will decode the zip archive with this key`);
   }
   return true;
@@ -63274,19 +63296,23 @@ async function createKey(options, log = true) {
         CapacitorUpdater: {}
       };
     }
-    extConfig.plugins.CapacitorUpdater.privateKey = privateKey;
+    if (!extConfig.plugins.CapacitorUpdater)
+      extConfig.plugins.CapacitorUpdater = {};
+    if (extConfig.plugins.CapacitorUpdater.privateKey)
+      delete extConfig.plugins.CapacitorUpdater.privateKey;
+    extConfig.plugins.CapacitorUpdater.publicKey = publicKey;
     (0, import_config2.writeConfig)(extConfig, config.app.extConfigFilePath);
   }
   if (log) {
     f2.success("Your RSA key has been generated");
-    f2.success(`Public key saved in ${baseKeyPub}`);
+    f2.success(`Private key saved in ${baseKey}`);
     f2.success("This key will be use to encrypt your bundle before sending it to Capgo");
     f2.success("Keep it safe");
     f2.success("Than make it unreadable by Capgo and unmodifiable by anyone");
-    f2.success(`Private key saved in ${config.app.extConfigFilePath}`);
+    f2.success(`Public key saved in ${config.app.extConfigFilePath}`);
     f2.success("Your app will be the only one having it");
     f2.success("Only your users can decrypt your update");
-    f2.success("Only you can send them an update");
+    f2.success("Only your key can send them an update");
     $e(`Done \u2705`);
   }
   return true;
@@ -63463,7 +63489,7 @@ async function uploadBundle(appid, options, shouldExit = true) {
   oe(`Uploading`);
   await checkLatest();
   let { bundle: bundle2, path: path3, channel: channel2 } = options;
-  const { external, key: key2 = false, displayIvSession, autoMinUpdateVersion, ignoreMetadataCheck } = options;
+  const { external, key: key2, displayIvSession, autoMinUpdateVersion, ignoreMetadataCheck } = options;
   let { minUpdateVersion } = options;
   options.apikey = options.apikey || findSavedKey();
   const snag = useLogSnag();
@@ -63586,11 +63612,14 @@ Trial expires in ${isTrial2} days`);
     s.start(`Calculating checksum`);
     checksum = await (0, import_checksum2.checksum)(zipped, "crc32");
     s.stop(`Checksum: ${checksum}`);
-    if (key2 || (0, import_node_fs8.existsSync)(baseKeyPub)) {
-      const publicKey = typeof key2 === "string" ? key2 : baseKeyPub;
+    if (key2 === false) {
+      f2.info(`Encryption ignored`);
+    } else if (key2 || (0, import_node_fs8.existsSync)(baseKey)) {
+      await checKOldEncryption();
+      const privateKey = typeof key2 === "string" ? key2 : baseKey;
       let keyData = options.keyData || "";
-      if (!keyData && !(0, import_node_fs8.existsSync)(publicKey)) {
-        f2.error(`Cannot find public key ${publicKey}`);
+      if (!keyData && !(0, import_node_fs8.existsSync)(privateKey)) {
+        f2.error(`Cannot find private key ${privateKey}`);
         if (import_ci_info.default.isCI)
           program.error("");
         const res2 = await se({ message: "Do you want to use our public key ?" });
@@ -63611,7 +63640,7 @@ Trial expires in ${isTrial2} days`);
         notify: false
       }).catch();
       if (!keyData) {
-        const keyFile = (0, import_node_fs8.readFileSync)(publicKey);
+        const keyFile = (0, import_node_fs8.readFileSync)(privateKey);
         keyData = keyFile.toString();
       }
       f2.info(`Encrypting your bundle`);
@@ -64415,23 +64444,29 @@ async function decryptZip(zipPath, ivsessionKey, options) {
   }
   const config = await getConfig();
   const { extConfig } = config.app;
-  if (!options.key && !(0, import_node_fs12.existsSync)(baseKey) && !extConfig.plugins?.CapacitorUpdater?.privateKey) {
-    f2.error(`Private Key not found at the path ${baseKey} or in ${config.app.extConfigFilePath}`);
+  await checKOldEncryption();
+  if (!options.key && !(0, import_node_fs12.existsSync)(baseKeyPub) && !extConfig.plugins?.CapacitorUpdater?.publicKey) {
+    f2.error(`Public key not found at the path ${baseKeyPub} or in ${config.app.extConfigFilePath}`);
     program.error("");
   }
-  const keyPath = options.key || baseKey;
-  let privateKey = extConfig?.plugins?.CapacitorUpdater?.privateKey;
-  if (!(0, import_node_fs12.existsSync)(keyPath) && !privateKey) {
-    f2.error(`Cannot find public key ${keyPath} or as keyData option or in ${config.app.extConfigFilePath}`);
+  const keyPath = options.key || baseKeyPub;
+  let publicKey = extConfig?.plugins?.CapacitorUpdater?.publicKey;
+  if (!(0, import_node_fs12.existsSync)(keyPath) && !publicKey) {
+    f2.error(`Cannot find a public key at ${keyPath} or as keyData option or in ${config.app.extConfigFilePath}`);
     program.error("");
   } else if ((0, import_node_fs12.existsSync)(keyPath)) {
     const keyFile = (0, import_node_fs12.readFileSync)(keyPath);
-    privateKey = keyFile.toString();
+    publicKey = keyFile.toString();
+  }
+  if (publicKey && !publicKey.startsWith("-----BEGIN RSA PUBLIC KEY-----")) {
+    f2.error(`the public key provided is not a valid RSA Public key`);
+    program.error("");
   }
   const zipFile = (0, import_node_fs12.readFileSync)(zipPath);
-  const decodedZip = decryptSource(zipFile, ivsessionKey, options.keyData ?? privateKey ?? "");
+  const decodedZip = decryptSource(zipFile, ivsessionKey, options.keyData ?? publicKey ?? "");
   (0, import_node_fs12.writeFileSync)(`${zipPath}_decrypted.zip`, decodedZip);
-  $e(`Decrypted zip file at ${zipPath}_decrypted.zip`);
+  f2.success(`Decrypted zip file at ${zipPath}_decrypted.zip`);
+  $e(`Done \u2705`);
   import_node_process19.default.exit();
 }
 
@@ -64443,30 +64478,35 @@ async function encryptZip(zipPath, options) {
   oe(`Encryption`);
   await checkLatest();
   const localConfig = await getLocalConfig();
+  await checKOldEncryption();
   if (!(0, import_node_fs13.existsSync)(zipPath)) {
     f2.error(`Error: Zip not found at the path ${zipPath}`);
     program.error("");
   }
-  const keyPath = options.key || baseKeyPub;
-  let publicKey = options.keyData || "";
-  if (!(0, import_node_fs13.existsSync)(keyPath) && !publicKey) {
-    f2.warning(`Cannot find public key ${keyPath} or as keyData option`);
+  const keyPath = options.key || baseKey;
+  let privateKey = options.keyData || "";
+  if (!(0, import_node_fs13.existsSync)(keyPath) && !privateKey) {
+    f2.warning(`Cannot find a private key at ${keyPath} or as a keyData option`);
     if (import_ci_info2.default.isCI) {
-      f2.error(`Error: Missing public key`);
+      f2.error(`Error: Missing key`);
       program.error("");
     }
-    const res = await se({ message: "Do you want to use our public key ?" });
+    const res = await se({ message: `Do you want to use our private key?` });
     if (!res) {
-      f2.error(`Error: Missing public key`);
+      f2.error(`Error: Missing private key`);
       program.error("");
     }
-    publicKey = localConfig.signKey || "";
+    privateKey = localConfig.signKey || "";
   } else if ((0, import_node_fs13.existsSync)(keyPath)) {
     const keyFile = (0, import_node_fs13.readFileSync)(keyPath);
-    publicKey = keyFile.toString();
+    privateKey = keyFile.toString();
+  }
+  if (privateKey && !privateKey.startsWith("-----BEGIN RSA PRIVATE KEY-----")) {
+    f2.error(`the private key provided is not a valid RSA Private key`);
+    program.error("");
   }
   const zipFile = (0, import_node_fs13.readFileSync)(zipPath);
-  const encodedZip = encryptSource(zipFile, publicKey);
+  const encodedZip = encryptSource(zipFile, privateKey);
   f2.success(`ivSessionKey: ${encodedZip.ivSessionKey}`);
   (0, import_node_fs13.writeFileSync)(`${zipPath}_encrypted.zip`, encodedZip.encryptedData);
   f2.success(`Encrypted zip saved at ${zipPath}_encrypted.zip`);
@@ -65124,7 +65164,7 @@ bundle.command("delete [bundleId] [appId]").alias("d").description("Delete a bun
 bundle.command("list [appId]").alias("l").description("List bundle in Capgo Cloud").action(listBundle).option("-a, --apikey <apikey>", "apikey to link to your account");
 bundle.command("unlink [appId]").description("Unlink a bundle in Capgo Cloud").action(listBundle).option("-a, --apikey <apikey>", "apikey to link to your account").option("-b, --bundle <bundle>", "bundle version number of the bundle to unlink");
 bundle.command("cleanup [appId]").alias("c").action(cleanupBundle).description("Cleanup bundle in Capgo Cloud").option("-b, --bundle <bundle>", "bundle version number of the app to delete").option("-a, --apikey <apikey>", "apikey to link to your account").option("-k, --keep <keep>", "number of version to keep").option("-f, --force", "force removal");
-bundle.command("decrypt [zipPath] [sessionKey]").description("Decrypt a signed zip bundle").action(decryptZip).option("--key <key>", "custom path for private signing key").option("--key-data <keyData>", "base64 private signing key");
+bundle.command("decrypt [zipPath] [sessionKey]").description("Decrypt a signed zip bundle").action(decryptZip).option("--key <key>", "custom path for public signing key").option("--key-data <keyData>", "base64 public signing key");
 bundle.command("encrypt [zipPath]").description("Encrypt a zip bundle").action(encryptZip).option("--key <key>", "custom path for private signing key").option("--key-data <keyData>", "base64 private signing key");
 bundle.command("zip [appId]").description("Zip a bundle").action(zipBundle).option("-p, --path <path>", "path of the folder to upload").option("-b, --bundle <bundle>", "bundle version number to name the zip file").option("-n, --name <name>", "name of the zip file").option("-j, --json", "output in JSON").option("--no-code-check", "Ignore checking if notifyAppReady() is called in soure code and index present in root folder");
 var channel = program.command("channel").description("Manage channel");
@@ -65134,7 +65174,7 @@ channel.command("list [appId]").alias("l").description("List channel").action(li
 channel.command("currentBundle [channel] [appId]").description("Get current bundle for specific channel in Capgo Cloud").action(currentBundle).option("-c, --channel <channel>", "channel to get the current bundle from").option("-a, --apikey <apikey>", "apikey to link to your account").option("--quiet", "only print the bundle version");
 channel.command("set [channelId] [appId]").alias("s").description("Set channel").action(setChannel).option("-a, --apikey <apikey>", "apikey to link to your account").option("-b, --bundle <bundle>", "bundle version number of the file to set").option("-s, --state <state>", "set the state of the channel, default or normal").option("--latest", "get the latest version key in the package.json to set it to the channel").option("--downgrade", "Allow to downgrade to version under native one").option("--no-downgrade", "Disable downgrade to version under native one").option("--upgrade", "Allow to upgrade to version above native one").option("--no-upgrade", "Disable upgrade to version above native one").option("--ios", "Allow sending update to ios devices").option("--no-ios", "Disable sending update to ios devices").option("--android", "Allow sending update to android devices").option("--no-android", "Disable sending update to android devices").option("--self-assign", "Allow to device to self assign to this channel").option("--no-self-assign", "Disable devices to self assign to this channel").option("--disable-auto-update <disableAutoUpdate>", "Disable auto update strategy for this channel.The possible options are: major, minor, metadata, none");
 var key = program.command("key").description("Manage key");
-key.command("save").description("Save base64 signing key in capacitor config, usefull for CI").action(saveKeyCommand).option("-f, --force", "force generate a new one").option("--key", "key path to save in capacitor config").option("--key-data", "key data to save in capacitor config");
+key.command("save").description("Save base64 signing key in capacitor config, useful for CI").action(saveKeyCommand).option("-f, --force", "force generate a new one").option("--key", "key path to save in capacitor config").option("--key-data <keyData>", "key data to save in capacitor config");
 key.command("create").description("Create a new signing key").action(createKeyCommand).option("-f, --force", "force generate a new one");
 program.command("upload [appId]").alias("u").description("(Deprecated) Upload a new bundle to Capgo Cloud").action(uploadDeprecatedCommand).option("-a, --apikey <apikey>", "apikey to link to your account").option("-p, --path <path>", "path of the folder to upload").option("-c, --channel <channel>", "channel to link to").option("-e, --external <url>", "link to external url intead of upload to Capgo Cloud").option("--key <key>", "custom path for public signing key").option("--key-data <keyData>", "base64 public signing key").option("--bundle-url", "prints bundle url into stdout").option("--no-key", "ignore signing key and send clear update").option("--display-iv-session", "Show in the console the iv and session key used to encrypt the update").option("-b, --bundle <bundle>", "bundle version number of the file to upload").option(
   "--min-update-version <minUpdateVersion>",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@capgo/cli",
-  "version": "4.2.3",
+  "version": "5.0.0-alpha.3",
   "description": "A CLI to upload to capgo servers",
   "main": "dist/index.js",
   "bin": {

package/src/api/crypto.ts

@@ -3,30 +3,31 @@ import {
   createCipheriv,
   createDecipheriv,
   generateKeyPairSync,
-  privateDecrypt,
-  publicEncrypt,
+  privateEncrypt,
+  publicDecrypt,
   randomBytes,
 } from 'node:crypto'
 import { Buffer } from 'node:buffer'
 
 const algorithm = 'aes-128-cbc'
-const oaepHash = 'sha256'
 const formatB64 = 'base64'
-const padding = constants.RSA_PKCS1_OAEP_PADDING
+const padding = constants.RSA_PKCS1_PADDING
 
-export function decryptSource(source: Buffer, ivSessionKey: string, privateKey: string): Buffer {
+export function decryptSource(source: Buffer, ivSessionKey: string, key: string): Buffer {
+  // console.log('decryptKeyType - ', decryptKeyType);
+  // console.log(key);
   // console.log('\nivSessionKey', ivSessionKey)
   const [ivB64, sessionb64Encrypted] = ivSessionKey.split(':')
   // console.log('\nsessionb64Encrypted', sessionb64Encrypted)
   // console.log('\nivB64', ivB64)
-  const sessionKey = privateDecrypt(
+  const sessionKey = publicDecrypt(
     {
-      key: privateKey,
+      key,
       padding,
-      oaepHash,
     },
     Buffer.from(sessionb64Encrypted, formatB64),
   )
+
   // ivB64 to uft-8
   const initVector = Buffer.from(ivB64, formatB64)
   // console.log('\nSessionB64', sessionB64)
@@ -41,7 +42,10 @@ export interface Encoded {
   ivSessionKey: string
   encryptedData: Buffer
 }
-export function encryptSource(source: Buffer, publicKey: string): Encoded {
+export function encryptSource(source: Buffer, key: string): Encoded {
+  // console.log('decryptKeyType - ', decryptKeyType);
+  // console.log(key);
+
   // encrypt zip with key
   const initVector = randomBytes(16)
   const sessionKey = randomBytes(16)
@@ -54,14 +58,15 @@ export function encryptSource(source: Buffer, publicKey: string): Encoded {
   // console.log('\nsessionB64', sessionB64)
   const ivB64 = initVector.toString(formatB64)
   // console.log('\nivB64', ivB64)
-  const sessionb64Encrypted = publicEncrypt(
+
+  const sessionb64Encrypted = privateEncrypt(
     {
-      key: publicKey,
+      key,
       padding,
-      oaepHash,
     },
     sessionKey,
   ).toString(formatB64)
+
   // console.log('\nsessionb64Encrypted', sessionb64Encrypted)
   const ivSessionKey = `${ivB64}:${sessionb64Encrypted}`
   // console.log('\nivSessionKey', sessionKey)

package/src/bundle/decrypt.ts

@@ -3,7 +3,7 @@ import process from 'node:process'
 import { program } from 'commander'
 import * as p from '@clack/prompts'
 import { decryptSource } from '../api/crypto'
-import { baseKey, getConfig } from '../utils'
+import { baseKeyPub, checKOldEncryption, getConfig } from '../utils'
 import { checkLatest } from '../api/update'
 
 interface Options {
@@ -23,32 +23,43 @@ export async function decryptZip(zipPath: string, ivsessionKey: string, options:
 
   const config = await getConfig()
   const { extConfig } = config.app
+  // console.log('config - ', config)
+  // console.log('extConfig - ', extConfig)
 
-  if (!options.key && !existsSync(baseKey) && !extConfig.plugins?.CapacitorUpdater?.privateKey) {
-    p.log.error(`Private Key not found at the path ${baseKey} or in ${config.app.extConfigFilePath}`)
+  await checKOldEncryption()
+  // console.log(`There ${hasPrivateKeyInConfig ? 'IS' : 'IS NOT'} a privateKey in the config`);
+
+  if (!options.key && !existsSync(baseKeyPub) && !extConfig.plugins?.CapacitorUpdater?.publicKey) {
+    p.log.error(`Public key not found at the path ${baseKeyPub} or in ${config.app.extConfigFilePath}`)
     program.error('')
   }
-  const keyPath = options.key || baseKey
-  // check if publicKey exist
+  const keyPath = options.key || baseKeyPub
+  // check if private exist
 
-  let privateKey = extConfig?.plugins?.CapacitorUpdater?.privateKey
+  let publicKey = extConfig?.plugins?.CapacitorUpdater?.publicKey
 
-  if (!existsSync(keyPath) && !privateKey) {
-    p.log.error(`Cannot find public key ${keyPath} or as keyData option or in ${config.app.extConfigFilePath}`)
+  if (!existsSync(keyPath) && !publicKey) {
+    p.log.error(`Cannot find a public key at ${keyPath} or as keyData option or in ${config.app.extConfigFilePath}`)
     program.error('')
   }
   else if (existsSync(keyPath)) {
     // open with fs publicKey path
     const keyFile = readFileSync(keyPath)
-    privateKey = keyFile.toString()
+    publicKey = keyFile.toString()
+  }
+
+  // let's doublecheck and make sure the key we are using is the right type based on the decryption strategy
+  if (publicKey && !publicKey.startsWith('-----BEGIN RSA PUBLIC KEY-----')) {
+    p.log.error(`the public key provided is not a valid RSA Public key`)
+    program.error('')
   }
-  // console.log('privateKey', privateKey)
 
   const zipFile = readFileSync(zipPath)
 
-  const decodedZip = decryptSource(zipFile, ivsessionKey, options.keyData ?? privateKey ?? '')
+  const decodedZip = decryptSource(zipFile, ivsessionKey, options.keyData ?? publicKey ?? '')
   // write decodedZip in a file
   writeFileSync(`${zipPath}_decrypted.zip`, decodedZip)
-  p.outro(`Decrypted zip file at ${zipPath}_decrypted.zip`)
+  p.log.success(`Decrypted zip file at ${zipPath}_decrypted.zip`)
+  p.outro(`Done ✅`)
   process.exit()
 }

package/src/bundle/encrypt.ts

@@ -5,7 +5,7 @@ import ciDetect from 'ci-info'
 import * as p from '@clack/prompts'
 import { checkLatest } from '../api/update'
 import { encryptSource } from '../api/crypto'
-import { baseKeyPub, getLocalConfig } from '../utils'
+import { baseKey, checKOldEncryption, getLocalConfig } from '../utils'
 
 interface Options {
   key?: string
@@ -17,40 +17,49 @@ export async function encryptZip(zipPath: string, options: Options) {
 
   await checkLatest()
   const localConfig = await getLocalConfig()
+  // console.log('localConfig - ', localConfig)
+  // console.log('config - ', config)
 
-  // write in file .capgo the apikey in home directory
+  await checKOldEncryption()
 
   if (!existsSync(zipPath)) {
     p.log.error(`Error: Zip not found at the path ${zipPath}`)
     program.error('')
   }
 
-  const keyPath = options.key || baseKeyPub
-  // check if publicKey exist
+  const keyPath = options.key || baseKey
+  // check if privateKey exist
 
-  let publicKey = options.keyData || ''
+  let privateKey = options.keyData || ''
 
-  if (!existsSync(keyPath) && !publicKey) {
-    p.log.warning(`Cannot find public key ${keyPath} or as keyData option`)
+  if (!existsSync(keyPath) && !privateKey) {
+    p.log.warning(`Cannot find a private key at ${keyPath} or as a keyData option`)
     if (ciDetect.isCI) {
-      p.log.error(`Error: Missing public key`)
+      p.log.error(`Error: Missing key`)
       program.error('')
     }
-    const res = await p.confirm({ message: 'Do you want to use our public key ?' })
+    const res = await p.confirm({ message: `Do you want to use our private key?` })
     if (!res) {
-      p.log.error(`Error: Missing public key`)
+      p.log.error(`Error: Missing private key`)
       program.error('')
     }
-    publicKey = localConfig.signKey || ''
+
+    privateKey = localConfig.signKey || ''
   }
   else if (existsSync(keyPath)) {
-    // open with fs publicKey path
+    // open with fs key path
     const keyFile = readFileSync(keyPath)
-    publicKey = keyFile.toString()
+    privateKey = keyFile.toString()
+  }
+
+  // let's doublecheck and make sure the key we are using is the right type based on the decryption strategy
+  if (privateKey && !privateKey.startsWith('-----BEGIN RSA PRIVATE KEY-----')) {
+    p.log.error(`the private key provided is not a valid RSA Private key`)
+    program.error('')
   }
 
   const zipFile = readFileSync(zipPath)
-  const encodedZip = encryptSource(zipFile, publicKey)
+  const encodedZip = encryptSource(zipFile, privateKey)
   p.log.success(`ivSessionKey: ${encodedZip.ivSessionKey}`)
   // write decodedZip in a file
   writeFileSync(`${zipPath}_encrypted.zip`, encodedZip.encryptedData)

package/src/bundle/upload.ts

@@ -16,7 +16,8 @@ import type {
 } from '../utils'
 import {
   OrganizationPerm,
-  baseKeyPub,
+  baseKey,
+  checKOldEncryption,
   checkCompatibility,
   checkPlanValid,
   convertAppName,
@@ -60,7 +61,7 @@ export async function uploadBundle(appid: string, options: Options, shouldExit =
   p.intro(`Uploading`)
   await checkLatest()
   let { bundle, path, channel } = options
-  const { external, key = false, displayIvSession, autoMinUpdateVersion, ignoreMetadataCheck } = options
+  const { external, key, displayIvSession, autoMinUpdateVersion, ignoreMetadataCheck } = options
   let { minUpdateVersion } = options
   options.apikey = options.apikey || findSavedKey()
   const snag = useLogSnag()
@@ -227,12 +228,16 @@ export async function uploadBundle(appid: string, options: Options, shouldExit =
     s.start(`Calculating checksum`)
     checksum = await getChecksum(zipped, 'crc32')
     s.stop(`Checksum: ${checksum}`)
-    if (key || existsSync(baseKeyPub)) {
-      const publicKey = typeof key === 'string' ? key : baseKeyPub
+    if (key === false) {
+      p.log.info(`Encryption ignored`)
+    }
+    else if (key || existsSync(baseKey)) {
+      await checKOldEncryption()
+      const privateKey = typeof key === 'string' ? key : baseKey
       let keyData = options.keyData || ''
-      // check if publicKey exist
-      if (!keyData && !existsSync(publicKey)) {
-        p.log.error(`Cannot find public key ${publicKey}`)
+      // check if privateKey exist
+      if (!keyData && !existsSync(privateKey)) {
+        p.log.error(`Cannot find private key ${privateKey}`)
         if (ciDetect.isCI)
           program.error('')
 
@@ -253,9 +258,9 @@ export async function uploadBundle(appid: string, options: Options, shouldExit =
         },
         notify: false,
       }).catch()
-      // open with fs publicKey path
+      // open with fs privateKey path
       if (!keyData) {
-        const keyFile = readFileSync(publicKey)
+        const keyFile = readFileSync(privateKey)
         keyData = keyFile.toString()
       }
       // encrypt

package/src/index.ts

@@ -169,8 +169,8 @@ bundle
   .command('decrypt [zipPath] [sessionKey]')
   .description('Decrypt a signed zip bundle')
   .action(decryptZip)
-  .option('--key <key>', 'custom path for private signing key')
-  .option('--key-data <keyData>', 'base64 private signing key')
+  .option('--key <key>', 'custom path for public signing key')
+  .option('--key-data <keyData>', 'base64 public signing key')
 
 bundle
   .command('encrypt [zipPath]')
@@ -250,11 +250,11 @@ const key = program
 
 key
   .command('save')
-  .description('Save base64 signing key in capacitor config, usefull for CI')
+  .description('Save base64 signing key in capacitor config, useful for CI')
   .action(saveKeyCommand)
   .option('-f, --force', 'force generate a new one')
   .option('--key', 'key path to save in capacitor config')
-  .option('--key-data', 'key data to save in capacitor config')
+  .option('--key-data <keyData>', 'key data to save in capacitor config')
 
 key
   .command('create')