@hot-updater/react-native 0.22.1 → 0.23.0

package/lib/typescript/commonjs/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,KAAK,EAAE,KAAK,CAAC;CACd;AAED;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAgBpE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,OAAO,EACd,QAAQ,EAAE,MAAM,GACf,4BAA4B,CAS9B"}

package/lib/typescript/module/index.d.ts

@@ -3,6 +3,7 @@ import { updateBundle } from "./native";
 import { wrap } from "./wrap";
 export type { HotUpdaterEvent } from "./native";
 export * from "./store";
+export { extractSignatureFailure, isSignatureVerificationError, type SignatureVerificationFailure, } from "./types";
 export type { HotUpdaterOptions } from "./wrap";
 export declare const HotUpdater: {
     /**

package/lib/typescript/module/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAQL,YAAY,EACb,MAAM,UAAU,CAAC;AAGlB,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAE9B,YAAY,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAChD,cAAc,SAAS,CAAC;AACxB,YAAY,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAQhD,eAAO,MAAM,UAAU;IACrB;;;;;;;;;;;;;;;;;;;;;OAqBG;;IAEH;;OAEG;;IAEH;;;;;;;;;;;;;;;;OAgBG;;IAEH;;OAEG;;IAEH;;OAEG;;IAEH;;OAEG;;IAEH;;;;;;;;;;;;OAYG;;IAEH;;;;;;;;;;;;;;;;OAgBG;;IAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;;IAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+BG;;IAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;;IAEH;;;;;;;;;;OAUG;;CAEJ,CAAC;AAEF,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAQL,YAAY,EACb,MAAM,UAAU,CAAC;AAGlB,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAE9B,YAAY,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAChD,cAAc,SAAS,CAAC;AACxB,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,KAAK,4BAA4B,GAClC,MAAM,SAAS,CAAC;AACjB,YAAY,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAQhD,eAAO,MAAM,UAAU;IACrB;;;;;;;;;;;;;;;;;;;;;OAqBG;;IAEH;;OAEG;;IAEH;;;;;;;;;;;;;;;;OAgBG;;IAEH;;OAEG;;IAEH;;OAEG;;IAEH;;OAEG;;IAEH;;;;;;;;;;;;OAYG;;IAEH;;;;;;;;;;;;;;;;OAgBG;;IAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;;IAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+BG;;IAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;;IAEH;;;;;;;;;;OAUG;;CAEJ,CAAC;AAEF,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC"}

package/lib/typescript/module/specs/NativeHotUpdater.d.ts

@@ -3,8 +3,13 @@ export interface UpdateBundleParams {
     bundleId: string;
     fileUrl: string | null;
     /**
-     * SHA256 hash of the bundle file for integrity verification.
-     * If provided, the native layer will verify the downloaded file's hash.
+     * File hash for integrity/signature verification.
+     *
+     * Format depends on signing configuration:
+     * - Signed: `sig:<base64_signature>` - Native will verify signature (and implicitly hash)
+     * - Unsigned: `<hex_hash>` - Native will verify SHA256 hash only
+     *
+     * Native determines verification mode by checking for "sig:" prefix.
      */
     fileHash: string | null;
 }

package/lib/typescript/module/specs/NativeHotUpdater.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"NativeHotUpdater.d.ts","sourceRoot":"","sources":["../../../../src/specs/NativeHotUpdater.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAGhD,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB;;;OAGG;IACH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,MAAM,WAAW,IAAK,SAAQ,WAAW;IAEvC,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACxB,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAG3D,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,QAAQ,CAAC,YAAY,EAAE,MAAM;QAC3B,aAAa,EAAE,MAAM,CAAC;QACtB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,OAAO,EAAE,MAAM,CAAC;QAChB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;KACjC,CAAC;CACH;;AAED,wBAAoE"}
+{"version":3,"file":"NativeHotUpdater.d.ts","sourceRoot":"","sources":["../../../../src/specs/NativeHotUpdater.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAGhD,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB;;;;;;;;OAQG;IACH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,MAAM,WAAW,IAAK,SAAQ,WAAW;IAEvC,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACxB,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAG3D,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,QAAQ,CAAC,YAAY,EAAE,MAAM;QAC3B,aAAa,EAAE,MAAM,CAAC;QACtB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,OAAO,EAAE,MAAM,CAAC;QAChB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;KACjC,CAAC;CACH;;AAED,wBAAoE"}

package/lib/typescript/module/types.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Information about a signature verification failure.
+ * This is a security-critical event that indicates the bundle
+ * may have been tampered with or the public key is misconfigured.
+ */
+export interface SignatureVerificationFailure {
+    /**
+     * The bundle ID that failed verification.
+     */
+    bundleId: string;
+    /**
+     * Human-readable error message from the native layer.
+     */
+    message: string;
+    /**
+     * The underlying error object.
+     */
+    error: Error;
+}
+/**
+ * Checks if an error is a signature verification failure.
+ * Matches error messages from both iOS and Android native implementations.
+ *
+ * **IMPORTANT**: This function relies on specific error message patterns from native code.
+ * If you change the error messages in the native implementations, update these patterns:
+ * - iOS: `ios/HotUpdater/Internal/SignatureVerifier.swift` (SignatureVerificationError)
+ * - Android: `android/src/main/java/com/hotupdater/SignatureVerifier.kt` (SignatureVerificationException)
+ */
+export declare function isSignatureVerificationError(error: unknown): boolean;
+/**
+ * Extracts signature verification failure details from an error.
+ */
+export declare function extractSignatureFailure(error: unknown, bundleId: string): SignatureVerificationFailure;
+//# sourceMappingURL=types.d.ts.map

package/lib/typescript/module/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,KAAK,EAAE,KAAK,CAAC;CACd;AAED;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAgBpE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,OAAO,EACd,QAAQ,EAAE,MAAM,GACf,4BAA4B,CAS9B"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hot-updater/react-native",
-  "version": "0.22.1",
+  "version": "0.23.0",
   "description": "React Native OTA solution for self-hosted",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",
@@ -27,7 +27,7 @@
     "ios",
     "cpp",
     "app.plugin.js",
-    "plugin/build/withHotUpdater.js",
+    "plugin/build",
     "*.podspec",
     "react-native.config.js",
     "!ios/build",
@@ -119,14 +119,14 @@
     "react-native": "0.79.1",
     "react-native-builder-bob": "^0.40.10",
     "typescript": "^5.8.3",
-    "hot-updater": "0.22.1"
+    "hot-updater": "0.23.0"
   },
   "dependencies": {
     "use-sync-external-store": "1.5.0",
-    "@hot-updater/cli-tools": "0.22.1",
-    "@hot-updater/js": "0.22.1",
-    "@hot-updater/core": "0.22.1",
-    "@hot-updater/plugin-core": "0.22.1"
+    "@hot-updater/cli-tools": "0.23.0",
+    "@hot-updater/plugin-core": "0.23.0",
+    "@hot-updater/js": "0.23.0",
+    "@hot-updater/core": "0.23.0"
   },
   "scripts": {
     "build": "bob build && tsc -p plugin/tsconfig.build.json",

package/plugin/build/transformers.js

@@ -0,0 +1,269 @@
+"use strict";
+/**
+ * Pure transformation functions for HotUpdater code injection
+ * These utilities handle code transformations for different React Native patterns
+ */
+var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
+    if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
+        if (ar || !(i in from)) {
+            if (!ar) ar = Array.prototype.slice.call(from, 0, i);
+            ar[i] = from[i];
+        }
+    }
+    return to.concat(ar || Array.prototype.slice.call(from));
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.transformAndroid = transformAndroid;
+exports.transformIOS = transformIOS;
+/**
+ * Helper to add lines if they don't exist, anchored by a specific string.
+ */
+function addLinesOnce(contents, anchor, linesToAdd) {
+    if (linesToAdd.every(function (line) { return contents.includes(line); })) {
+        // All lines already exist, do nothing
+        return contents;
+    }
+    // Check if the anchor exists
+    if (!contents.includes(anchor)) {
+        // Anchor not found, cannot add lines reliably.
+        return contents;
+    }
+    // Add lines after the anchor
+    return contents.replace(anchor, "".concat(anchor, "\n").concat(linesToAdd.join("\n")));
+}
+/**
+ * Android: handle getDefaultReactHost pattern (RN 0.82+ style).
+ * Adds jsBundleFilePath parameter to the call.
+ */
+function transformAndroidReactHost(contents) {
+    var kotlinImport = "import com.hotupdater.HotUpdater";
+    var kotlinImportAnchor = "import com.facebook.react.ReactApplication";
+    var kotlinMethodCheck = "HotUpdater.getJSBundleFile(applicationContext)";
+    // Quick pattern detection: only touch files using getDefaultReactHost
+    // with the new RN 0.82+ parameter style.
+    if (!contents.includes("getDefaultReactHost(") ||
+        !contents.includes("packageList =")) {
+        return contents;
+    }
+    // 1. Ensure HotUpdater import exists (idempotent via addLinesOnce)
+    var result = addLinesOnce(contents, kotlinImportAnchor, [kotlinImport]);
+    // 2. If jsBundleFilePath is already wired to HotUpdater, do nothing
+    if (result.includes(kotlinMethodCheck) &&
+        result.includes("jsBundleFilePath")) {
+        return result;
+    }
+    var lines = result.split("\n");
+    var callIndex = lines.findIndex(function (line) {
+        return line.includes("getDefaultReactHost(");
+    });
+    if (callIndex === -1) {
+        return result;
+    }
+    // Determine the indentation used for parameters (e.g. "      ")
+    var paramIndent = "";
+    for (var i = callIndex + 1; i < lines.length; i += 1) {
+        var line = lines[i];
+        var trimmed = line.trim();
+        if (trimmed.length === 0) {
+            continue;
+        }
+        if (trimmed.startsWith(")")) {
+            // No parameters detected, give up safely.
+            return result;
+        }
+        var indentMatch = line.match(/^(\s*)/);
+        paramIndent = indentMatch ? indentMatch[1] : "";
+        break;
+    }
+    if (!paramIndent) {
+        return result;
+    }
+    // Find the closing line of the call (a line that is just ")" with indentation).
+    var closingIndex = -1;
+    for (var i = callIndex + 1; i < lines.length; i += 1) {
+        if (lines[i].trim() === ")") {
+            closingIndex = i;
+            break;
+        }
+    }
+    if (closingIndex === -1) {
+        return result;
+    }
+    // Avoid inserting twice if jsBundleFilePath already added somewhere in the call.
+    for (var i = callIndex; i < closingIndex; i += 1) {
+        if (lines[i].includes("jsBundleFilePath")) {
+            return result;
+        }
+    }
+    var jsBundleLine = "".concat(paramIndent, "jsBundleFilePath = HotUpdater.getJSBundleFile(applicationContext),");
+    lines.splice(closingIndex, 0, jsBundleLine);
+    return lines.join("\n");
+}
+/**
+ * Android: DefaultReactNativeHost pattern (RN 0.81 / Expo 54).
+ * Adds getJSBundleFile() override to the host.
+ */
+function transformAndroidDefaultHost(contents) {
+    var _a;
+    var kotlinImport = "import com.hotupdater.HotUpdater";
+    var kotlinImportAnchor = "import com.facebook.react.ReactApplication";
+    var kotlinReactNativeHostAnchor = "object : DefaultReactNativeHost(this) {";
+    var kotlinMethodCheck = "HotUpdater.getJSBundleFile(applicationContext)";
+    var kotlinExistingMethodRegex = /^\s*override fun getJSBundleFile\(\): String\?\s*\{[\s\S]*?^\s*\}/gm;
+    var kotlinHermesAnchor = "override val isHermesEnabled: Boolean = BuildConfig.IS_HERMES_ENABLED";
+    var kotlinNewArchAnchor = "override val isNewArchEnabled: Boolean = BuildConfig.IS_NEW_ARCHITECTURE_ENABLED";
+    // Check if this is the old pattern with DefaultReactNativeHost
+    if (!contents.includes(kotlinReactNativeHostAnchor)) {
+        return contents;
+    }
+    // 1. Add import if missing
+    var result = addLinesOnce(contents, kotlinImportAnchor, [kotlinImport]);
+    // 2. Add/Replace getJSBundleFile method if needed
+    if (!result.includes(kotlinMethodCheck)) {
+        // Remove potentially existing (different) override first
+        result = result.replace(kotlinExistingMethodRegex, "");
+        var lines_1 = result.split("\n");
+        var findLineIndex = function (needle) {
+            for (var i = 0; i < lines_1.length; i += 1) {
+                if (lines_1[i].includes(needle)) {
+                    return i;
+                }
+            }
+            return -1;
+        };
+        // Prefer inserting after Hermes line, then after new architecture line
+        var anchorIndex = findLineIndex(kotlinHermesAnchor);
+        if (anchorIndex === -1) {
+            anchorIndex = findLineIndex(kotlinNewArchAnchor);
+        }
+        if (anchorIndex !== -1) {
+            var indentMatch = lines_1[anchorIndex].match(/^\s*/);
+            var indent = indentMatch ? indentMatch[0] : "";
+            var objectLine = lines_1.find(function (line) {
+                return line.includes("object : DefaultReactNativeHost");
+            });
+            var indentSize = 2;
+            if (objectLine) {
+                var objectIndent = (((_a = objectLine.match(/^\s*/)) === null || _a === void 0 ? void 0 : _a[0]) || "").length;
+                var propertyIndent = indent.length;
+                var diff = propertyIndent - objectIndent;
+                if (diff > 0) {
+                    indentSize = diff;
+                }
+            }
+            var spaces = indentSize === 2 ? "  " : "    ";
+            var bodyIndent = indent + spaces;
+            var methodLines = [
+                "", // blank line
+                "".concat(indent, "override fun getJSBundleFile(): String? {"),
+                "".concat(bodyIndent, "return HotUpdater.getJSBundleFile(applicationContext)"),
+                "".concat(indent, "}"),
+            ];
+            var insertIndex = anchorIndex + 1;
+            lines_1.splice.apply(lines_1, __spreadArray([insertIndex, 0], methodLines, false));
+            result = lines_1.join("\n");
+        }
+        else {
+            // Fallback: insert before the closing brace of the object block
+            var hostStartIndex = lines_1.findIndex(function (line) {
+                return line.includes("object : DefaultReactNativeHost");
+            });
+            if (hostStartIndex === -1) {
+                throw new Error("[transformAndroidDefaultHost] Could not find DefaultReactNativeHost block.");
+            }
+            var hostEndIndex = -1;
+            for (var i = lines_1.length - 1; i > hostStartIndex; i -= 1) {
+                if (lines_1[i].trim() === "}") {
+                    hostEndIndex = i;
+                    break;
+                }
+            }
+            if (hostEndIndex === -1) {
+                throw new Error("[transformAndroidDefaultHost] Could not find end of DefaultReactNativeHost block.");
+            }
+            var indentMatch = lines_1[hostEndIndex].match(/^\s*/);
+            var indent = indentMatch ? indentMatch[0] : "";
+            var bodyIndent = "".concat(indent, "  ");
+            var methodLines = [
+                "".concat(indent, "override fun getJSBundleFile(): String? {"),
+                "".concat(bodyIndent, "return HotUpdater.getJSBundleFile(applicationContext)"),
+                "".concat(indent, "}"),
+            ];
+            lines_1.splice.apply(lines_1, __spreadArray([hostEndIndex, 0], methodLines, false));
+            result = lines_1.join("\n");
+        }
+    }
+    return result;
+}
+/**
+ * Public Android transformer that applies all Android-specific transforms.
+ */
+function transformAndroid(contents) {
+    var result = contents;
+    result = transformAndroidReactHost(result);
+    result = transformAndroidDefaultHost(result);
+    return result;
+}
+/**
+ * iOS: Objective-C AppDelegate transformation.
+ * Replaces NSBundle-based bundleURL with HotUpdater bundleURL.
+ */
+function transformIOSObjC(contents) {
+    var iosImport = "#import <HotUpdater/HotUpdater.h>";
+    var iosBundleUrl = "[HotUpdater bundleURL]";
+    var iosOriginalBundleUrlRegex = /\[\[NSBundle mainBundle\] URLForResource:@"main" withExtension:@"jsbundle"\]/g;
+    var iosAppDelegateHeader = '#import "AppDelegate.h"';
+    // Check if it's likely Obj-C
+    if (!contents.includes(iosAppDelegateHeader)) {
+        return contents;
+    }
+    var result = contents;
+    // 1. Ensure HotUpdater import is present
+    if (!result.includes(iosImport)) {
+        result = addLinesOnce(result, iosAppDelegateHeader, [iosImport]);
+    }
+    // 2. Swap NSBundle-based URL with HotUpdater bundleURL, but only once
+    if (!result.includes(iosBundleUrl) &&
+        iosOriginalBundleUrlRegex.test(result)) {
+        result = result.replace(iosOriginalBundleUrlRegex, iosBundleUrl);
+    }
+    return result;
+}
+/**
+ * iOS: Swift / Expo AppDelegate transformation.
+ * Replaces Bundle.main.url-based bundleURL with HotUpdater.bundleURL().
+ */
+function transformIOSSwift(contents) {
+    var swiftImport = "import HotUpdater";
+    var swiftBundleUrl = "HotUpdater.bundleURL()";
+    var swiftOriginalBundleUrlRegex = /Bundle\.main\.url\(forResource: "?main"?, withExtension: "jsbundle"\)/g;
+    // Check if it's likely Swift AppDelegate code
+    if (!contents.includes("import ")) {
+        return contents;
+    }
+    // 1. Add import if missing - find the last import statement and add after it
+    var result = contents;
+    if (!result.includes(swiftImport)) {
+        // Find the last import statement
+        var lastImportMatch = result.match(/^import .*$/gm);
+        if (lastImportMatch) {
+            var lastImport = lastImportMatch[lastImportMatch.length - 1];
+            result = result.replace(lastImport, "".concat(lastImport, "\n").concat(swiftImport));
+        }
+    }
+    // 2. Replace bundleURL provider if the original exists and hasn't been replaced
+    if (!result.includes(swiftBundleUrl) &&
+        swiftOriginalBundleUrlRegex.test(result)) {
+        result = result.replace(swiftOriginalBundleUrlRegex, swiftBundleUrl);
+    }
+    return result;
+}
+/**
+ * Public iOS transformer that applies both Objective-C and Swift transforms.
+ */
+function transformIOS(contents) {
+    var result = contents;
+    result = transformIOSObjC(result);
+    result = transformIOSSwift(result);
+    return result;
+}

package/src/checkForUpdate.ts

@@ -81,7 +81,7 @@ export async function checkForUpdate(
         return updateBundle({
           bundleId: updateInfo.id,
           fileUrl: updateInfo.fileUrl,
-          fileHash: updateInfo?.fileHash ?? null,
+          fileHash: updateInfo.fileHash,
           status: updateInfo.status,
         });
       },

package/src/index.ts

@@ -15,6 +15,11 @@ import { wrap } from "./wrap";
 
 export type { HotUpdaterEvent } from "./native";
 export * from "./store";
+export {
+  extractSignatureFailure,
+  isSignatureVerificationError,
+  type SignatureVerificationFailure,
+} from "./types";
 export type { HotUpdaterOptions } from "./wrap";
 
 addListener("onProgress", ({ progress }) => {

package/src/specs/NativeHotUpdater.ts

@@ -5,8 +5,13 @@ export interface UpdateBundleParams {
   bundleId: string;
   fileUrl: string | null;
   /**
-   * SHA256 hash of the bundle file for integrity verification.
-   * If provided, the native layer will verify the downloaded file's hash.
+   * File hash for integrity/signature verification.
+   *
+   * Format depends on signing configuration:
+   * - Signed: `sig:<base64_signature>` - Native will verify signature (and implicitly hash)
+   * - Unsigned: `<hex_hash>` - Native will verify SHA256 hash only
+   *
+   * Native determines verification mode by checking for "sig:" prefix.
    */
   fileHash: string | null;
 }

package/src/types.ts

@@ -0,0 +1,63 @@
+/**
+ * Information about a signature verification failure.
+ * This is a security-critical event that indicates the bundle
+ * may have been tampered with or the public key is misconfigured.
+ */
+export interface SignatureVerificationFailure {
+  /**
+   * The bundle ID that failed verification.
+   */
+  bundleId: string;
+  /**
+   * Human-readable error message from the native layer.
+   */
+  message: string;
+  /**
+   * The underlying error object.
+   */
+  error: Error;
+}
+
+/**
+ * Checks if an error is a signature verification failure.
+ * Matches error messages from both iOS and Android native implementations.
+ *
+ * **IMPORTANT**: This function relies on specific error message patterns from native code.
+ * If you change the error messages in the native implementations, update these patterns:
+ * - iOS: `ios/HotUpdater/Internal/SignatureVerifier.swift` (SignatureVerificationError)
+ * - Android: `android/src/main/java/com/hotupdater/SignatureVerifier.kt` (SignatureVerificationException)
+ */
+export function isSignatureVerificationError(error: unknown): boolean {
+  if (!(error instanceof Error)) {
+    return false;
+  }
+
+  const message = error.message.toLowerCase();
+
+  // Match iOS SignatureVerificationError messages
+  // Match Android SignatureVerificationException messages
+  return (
+    message.includes("signature verification") ||
+    message.includes("public key not configured") ||
+    message.includes("public key format is invalid") ||
+    message.includes("signature format is invalid") ||
+    message.includes("bundle may be corrupted or tampered")
+  );
+}
+
+/**
+ * Extracts signature verification failure details from an error.
+ */
+export function extractSignatureFailure(
+  error: unknown,
+  bundleId: string,
+): SignatureVerificationFailure {
+  const normalizedError =
+    error instanceof Error ? error : new Error(String(error));
+
+  return {
+    bundleId,
+    message: normalizedError.message,
+    error: normalizedError,
+  };
+}