hot-updater 0.22.2 → 0.23.0

package/dist/index.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { _ as __toESM, a as nativeFingerprint, c as showFingerprintDiff, d as IosConfigParser, f as require_plist, g as __require, h as __commonJS, i as generateFingerprints, l as isFingerprintEquals, m as AndroidConfigParser, o as readLocalFingerprint, p as require_base64_js, s as getFingerprintDiff, t as createAndInjectFingerprintFiles, u as require_out } from "./fingerprint-CrCon-HQ.js";
+import { _ as __toESM, a as nativeFingerprint, c as showFingerprintDiff, d as IosConfigParser, f as require_plist, g as __require, h as __commonJS, i as generateFingerprints, l as isFingerprintEquals, m as AndroidConfigParser, o as readLocalFingerprint, p as require_base64_js, s as getFingerprintDiff, t as createAndInjectFingerprintFiles, u as require_out } from "./fingerprint-11-3nNgi.js";
 import { EventEmitter, addAbortListener, on, once, setMaxListeners } from "node:events";
 import childProcess, { ChildProcess, execFile, spawn, spawnSync } from "node:child_process";
 import path from "node:path";
@@ -29,6 +29,7 @@ import { createServer } from "http";
 import { Http2ServerRequest } from "http2";
 import app from "@hot-updater/console";
 import net from "node:net";
+import crypto$1 from "node:crypto";
 import { HotUpdaterDB } from "@hot-updater/server";
 import { kyselyAdapter } from "@hot-updater/server/adapters/kysely";
 import { Kysely, MysqlDialect, PostgresDialect, SqliteDialect } from "kysely";
@@ -35436,6 +35437,160 @@ const appendOutputDirectoryIntoGitignore = ({ cwd } = {}) => {
 	});
 };
 
+//#endregion
+//#region src/utils/signing/keyGeneration.ts
+/**
+* Generate RSA key pair for bundle signing.
+* @param keySize Key size in bits (2048 or 4096)
+* @returns Promise resolving to key pair in PEM format
+*/
+async function generateKeyPair(keySize = 4096) {
+	return new Promise((resolve, reject) => {
+		crypto$1.generateKeyPair("rsa", {
+			modulusLength: keySize,
+			publicKeyEncoding: {
+				type: "spki",
+				format: "pem"
+			},
+			privateKeyEncoding: {
+				type: "pkcs8",
+				format: "pem"
+			}
+		}, (err, publicKey, privateKey) => {
+			if (err) reject(err);
+			else resolve({
+				privateKey,
+				publicKey
+			});
+		});
+	});
+}
+/**
+* Save key pair to disk with secure permissions.
+* @param keyPair Generated key pair
+* @param outputDir Directory to save keys
+*/
+async function saveKeyPair(keyPair, outputDir) {
+	await fs$2.mkdir(outputDir, { recursive: true });
+	const privateKeyPath = path.join(outputDir, "private-key.pem");
+	const publicKeyPath = path.join(outputDir, "public-key.pem");
+	await fs$2.writeFile(privateKeyPath, keyPair.privateKey, { mode: 384 });
+	await fs$2.writeFile(publicKeyPath, keyPair.publicKey, { mode: 420 });
+}
+/**
+* Load private key from PEM file.
+* @param privateKeyPath Path to private key file
+* @returns Private key in PEM format
+* @throws Error if file not found or invalid format
+*/
+async function loadPrivateKey(privateKeyPath) {
+	try {
+		const privateKey = await fs$2.readFile(privateKeyPath, "utf-8");
+		crypto$1.createPrivateKey(privateKey);
+		return privateKey;
+	} catch (error) {
+		throw new Error(`Failed to load private key from ${privateKeyPath}: ${error.message}`);
+	}
+}
+/**
+* Extract public key from private key.
+* @param privateKeyPEM Private key in PEM format
+* @returns Public key in PEM format
+*/
+function getPublicKeyFromPrivate(privateKeyPEM) {
+	const privateKey = crypto$1.createPrivateKey(privateKeyPEM);
+	return crypto$1.createPublicKey(privateKey).export({
+		type: "spki",
+		format: "pem"
+	});
+}
+
+//#endregion
+//#region src/utils/signing/bundleSigning.ts
+/**
+* Sign bundle fileHash with private key.
+* @param fileHash SHA-256 hash of bundle (hex string)
+* @param privateKeyPath Path to private key file
+* @returns Base64-encoded RSA-SHA256 signature
+*/
+async function signBundle(fileHash, privateKeyPath) {
+	const privateKeyPEM = await loadPrivateKey(privateKeyPath);
+	const fileHashBuffer = Buffer.from(fileHash, "hex");
+	const sign = crypto$1.createSign("RSA-SHA256");
+	sign.update(fileHashBuffer);
+	sign.end();
+	return sign.sign(privateKeyPEM).toString("base64");
+}
+
+//#endregion
+//#region src/utils/signing/validateSigningConfig.ts
+const ANDROID_KEY$1 = "hot_updater_public_key";
+const IOS_KEY$1 = "HOT_UPDATER_PUBLIC_KEY";
+/**
+* Validates signing configuration consistency between config file and native files.
+* Detects mismatches that would cause OTA updates to fail.
+*/
+async function validateSigningConfig(config) {
+	const signingEnabled = config.signing?.enabled ?? false;
+	const iosParser = new IosConfigParser(config.platform.ios.infoPlistPaths);
+	const androidParser = new AndroidConfigParser(config.platform.android.stringResourcePaths);
+	const [iosExists, androidExists] = await Promise.all([iosParser.exists(), androidParser.exists()]);
+	const [iosResult, androidResult] = await Promise.all([iosExists ? iosParser.get(IOS_KEY$1) : Promise.resolve({
+		value: null,
+		paths: []
+	}), androidExists ? androidParser.get(ANDROID_KEY$1) : Promise.resolve({
+		value: null,
+		paths: []
+	})]);
+	const issues = [];
+	if (signingEnabled) {
+		if (!iosResult.value && iosExists) issues.push({
+			type: "error",
+			platform: "ios",
+			code: "MISSING_PUBLIC_KEY",
+			message: "Signing is enabled but HOT_UPDATER_PUBLIC_KEY is missing from Info.plist",
+			resolution: "Run `npx hot-updater keys export-public` to add the public key, then rebuild your iOS app."
+		});
+		if (!androidResult.value && androidExists) issues.push({
+			type: "error",
+			platform: "android",
+			code: "MISSING_PUBLIC_KEY",
+			message: "Signing is enabled but hot_updater_public_key is missing from strings.xml",
+			resolution: "Run `npx hot-updater keys export-public` to add the public key, then rebuild your Android app."
+		});
+	} else {
+		if (iosResult.value) issues.push({
+			type: "warning",
+			platform: "ios",
+			code: "ORPHAN_PUBLIC_KEY",
+			message: "Signing is disabled but HOT_UPDATER_PUBLIC_KEY exists in Info.plist. This will cause OTA updates to be rejected.",
+			resolution: "Run `npx hot-updater keys remove` to remove public keys, or enable signing in hot-updater.config.ts"
+		});
+		if (androidResult.value) issues.push({
+			type: "warning",
+			platform: "android",
+			code: "ORPHAN_PUBLIC_KEY",
+			message: "Signing is disabled but hot_updater_public_key exists in strings.xml. This will cause OTA updates to be rejected.",
+			resolution: "Run `npx hot-updater keys remove` to remove public keys, or enable signing in hot-updater.config.ts"
+		});
+	}
+	return {
+		isValid: issues.filter((i$1) => i$1.type === "error").length === 0,
+		signingEnabled,
+		nativePublicKeys: {
+			ios: {
+				exists: !!iosResult.value,
+				paths: iosResult.paths
+			},
+			android: {
+				exists: !!androidResult.value,
+				paths: androidResult.paths
+			}
+		},
+		issues
+	};
+}
+
 //#endregion
 //#region src/utils/version/getDefaultTargetAppVersion.ts
 var import_valid$2 = /* @__PURE__ */ __toESM(require_valid$2(), 1);
@@ -35455,6 +35610,64 @@ const getDefaultTargetAppVersion = async (platform$2) => {
 	return version$1;
 };
 
+//#endregion
+//#region src/signedHashUtils.ts
+/**
+* Utilities for handling signed file hashes in Hot Updater.
+*
+* The signed hash format uses a simple prefix to indicate signing:
+* - Signed: `sig:<base64_signature>`
+* - Unsigned: `<hex_hash>` (plain SHA256)
+*
+* Signature verification implicitly verifies hash integrity,
+* so we only need to store the signature for signed bundles.
+*
+* @module signedHashUtils
+*/
+/**
+* Prefix indicating a signed file hash.
+* @example "sig:MEUCIQDx..."
+*/
+const SIGNED_HASH_PREFIX = "sig:";
+/**
+* Custom error class for signed hash format errors.
+*/
+var SignedHashFormatError = class extends Error {
+	/**
+	* Creates a new SignedHashFormatError.
+	*
+	* @param message - Description of the format error
+	* @param input - The malformed input string that caused the error
+	*/
+	constructor(message, input) {
+		super(message);
+		this.input = input;
+		this.name = "SignedHashFormatError";
+	}
+};
+/**
+* Creates a signed file hash from a signature.
+*
+* The format is: `sig:<base64_signature>`
+*
+* Note: The hash is not stored because signature verification
+* implicitly verifies the hash (the signature is computed over the hash).
+*
+* @param signature - The Base64-encoded RSA-SHA256 signature
+* @returns The signed file hash string
+* @throws {SignedHashFormatError} If the signature is empty
+*
+* @example
+* ```typescript
+* const signedHash = createSignedFileHash("MEUCIQDx...");
+* // Returns: "sig:MEUCIQDx..."
+* ```
+*/
+function createSignedFileHash(signature) {
+	if (!signature || signature.trim().length === 0) throw new SignedHashFormatError("Invalid signature: signature cannot be empty", signature ?? "");
+	return `${SIGNED_HASH_PREFIX}${signature}`;
+}
+
 //#endregion
 //#region src/commands/deploy.ts
 var import_valid$1 = /* @__PURE__ */ __toESM(require_valid$2(), 1);
@@ -35486,6 +35699,31 @@ const deploy = async (options) => {
 		console.error("No config found. Please run `hot-updater init` first.");
 		process.exit(1);
 	}
+	const signingValidation = await validateSigningConfig(config);
+	if (signingValidation.issues.length > 0) {
+		const errors = signingValidation.issues.filter((i$1) => i$1.type === "error");
+		const warnings = signingValidation.issues.filter((i$1) => i$1.type === "warning");
+		if (errors.length > 0) {
+			console.log("");
+			p.log.error("Signing configuration error:");
+			for (const issue of errors) {
+				p.log.error(`  ${issue.message}`);
+				p.log.info(`  Resolution: ${issue.resolution}`);
+			}
+			console.log("");
+			p.log.error("Deployment blocked. Fix the signing configuration and try again.");
+			process.exit(1);
+		}
+		if (warnings.length > 0) {
+			console.log("");
+			p.log.warn("Signing configuration warning:");
+			for (const warning of warnings) {
+				p.log.warn(`  ${warning.message}`);
+				p.log.info(`  Resolution: ${warning.resolution}`);
+			}
+			console.log("");
+		}
+	}
 	const target = {
 		appVersion: null,
 		fingerprintHash: null
@@ -35589,6 +35827,20 @@ const deploy = async (options) => {
 				}
 				bundleId = taskRef.buildResult.bundleId;
 				fileHash = await getFileHashFromFile(bundlePath);
+				if (config.signing?.enabled) {
+					if (!config.signing.privateKeyPath) throw new Error("privateKeyPath is required when signing is enabled. Please provide a valid path to your RSA private key in hot-updater.config.ts");
+					const s$1 = p.spinner();
+					s$1.start("Signing bundle");
+					try {
+						fileHash = createSignedFileHash(await signBundle(fileHash, config.signing.privateKeyPath));
+						s$1.stop("Bundle signed successfully");
+					} catch (error) {
+						s$1.stop("Failed to sign bundle", 1);
+						p.log.error(`Signing error: ${error.message}`);
+						p.log.error("Ensure private key path is correct and file has proper permissions");
+						throw error;
+					}
+				}
 				p.log.success(`Bundle stored at ${colors.blueBright(path$1.relative(cwd, bundlePath))}`);
 				return `✅ Build Complete (${buildPlugin.name})`;
 			}
@@ -37266,6 +37518,319 @@ async function generateStandaloneSQL(options) {
 	}
 }
 
+//#endregion
+//#region src/commands/keys.ts
+const ANDROID_KEY = "hot_updater_public_key";
+const IOS_KEY = "HOT_UPDATER_PUBLIC_KEY";
+/**
+* Generate RSA key pair for code signing.
+* Usage: npx hot-updater keys:generate [--output ./keys] [--key-size 4096]
+*/
+const keysGenerate = async (options = {}) => {
+	const cwd = getCwd();
+	const outputDir = options.output ? path.isAbsolute(options.output) ? options.output : path.join(cwd, options.output) : path.join(cwd, "keys");
+	const keySize = options.keySize ?? 4096;
+	p.log.info(`Generating ${keySize}-bit RSA key pair...`);
+	const spinner = p.spinner();
+	spinner.start("Generating keys");
+	try {
+		await saveKeyPair(await generateKeyPair(keySize), outputDir);
+		spinner.stop("Keys generated successfully");
+		p.log.success(`Private key: ${path.join(outputDir, "private-key.pem")}`);
+		p.log.success(`Public key: ${path.join(outputDir, "public-key.pem")}`);
+		console.log("");
+		p.log.warn("⚠️  Keep private key secure!");
+		p.log.warn("   - Add keys/ to .gitignore");
+		p.log.warn("   - Use secure storage for CI/CD (AWS Secrets Manager, etc.)");
+		console.log("");
+		p.log.info("Next steps:");
+		p.log.info("1. Add to hot-updater.config.ts:");
+		p.log.info("   signing: { enabled: true, privateKeyPath: \"./keys/private-key.pem\" }");
+		p.log.info("2. Run: npx hot-updater keys export-public");
+		p.log.info("3. Embed public key in iOS Info.plist and Android strings.xml");
+		p.log.info("4. Rebuild native app");
+	} catch (error) {
+		spinner.stop("Failed to generate keys", 1);
+		p.log.error(error.message);
+		process.exit(1);
+	}
+};
+async function writePublicKeyToAndroid(publicKey, customPaths) {
+	try {
+		const androidParser = new AndroidConfigParser(customPaths);
+		if (!await androidParser.exists()) return {
+			platform: "android",
+			paths: [],
+			success: false,
+			error: "No strings.xml files found"
+		};
+		return {
+			platform: "android",
+			paths: (await androidParser.set(ANDROID_KEY, publicKey)).paths,
+			success: true
+		};
+	} catch (error) {
+		return {
+			platform: "android",
+			paths: [],
+			success: false,
+			error: error.message
+		};
+	}
+}
+async function writePublicKeyToIos(publicKey, customPaths) {
+	try {
+		const iosParser = new IosConfigParser(customPaths);
+		if (!await iosParser.exists()) return {
+			platform: "ios",
+			paths: [],
+			success: false,
+			error: "No Info.plist files found"
+		};
+		return {
+			platform: "ios",
+			paths: (await iosParser.set(IOS_KEY, publicKey)).paths,
+			success: true
+		};
+	} catch (error) {
+		return {
+			platform: "ios",
+			paths: [],
+			success: false,
+			error: error.message
+		};
+	}
+}
+function printPublicKeyInstructions(publicKeyPEM) {
+	console.log("");
+	console.log(colors.cyan("═══════════════════════════════════════════════════════"));
+	console.log(colors.cyan("Public Key (embed in native configuration)"));
+	console.log(colors.cyan("═══════════════════════════════════════════════════════"));
+	console.log("");
+	console.log(publicKeyPEM);
+	console.log("");
+	console.log(colors.yellow("iOS Configuration (Info.plist):"));
+	console.log("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━");
+	console.log("<key>HOT_UPDATER_PUBLIC_KEY</key>");
+	console.log(`<string>${publicKeyPEM.trim().replace(/\n/g, "\\n")}</string>`);
+	console.log("");
+	console.log(colors.yellow("Android Configuration (res/values/strings.xml):"));
+	console.log("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━");
+	console.log("<string name=\"hot_updater_public_key\">");
+	console.log(publicKeyPEM.trim());
+	console.log("</string>");
+	console.log("");
+	console.log(colors.cyan("═══════════════════════════════════════════════════════"));
+}
+/**
+* Export public key for embedding in native configuration.
+* By default, writes the public key to iOS Info.plist and Android strings.xml.
+* Use --print-only to only display the key without modifying files.
+*
+* The private key path is read from hot-updater.config.ts (signing.privateKeyPath)
+* unless overridden with --input.
+*
+* Usage: npx hot-updater keys export-public [--input ./keys/private-key.pem] [--print-only] [--yes]
+*/
+const keysExportPublic = async (options = {}) => {
+	const cwd = getCwd();
+	const config = await loadConfig(null);
+	const configPrivateKeyPath = config.signing?.privateKeyPath;
+	let privateKeyPath;
+	if (options.input) privateKeyPath = path.isAbsolute(options.input) ? options.input : path.join(cwd, options.input);
+	else if (configPrivateKeyPath) privateKeyPath = path.isAbsolute(configPrivateKeyPath) ? configPrivateKeyPath : path.join(cwd, configPrivateKeyPath);
+	else privateKeyPath = path.join(cwd, "keys", "private-key.pem");
+	try {
+		const publicKeyPEM = getPublicKeyFromPrivate(await loadPrivateKey(privateKeyPath));
+		if (options.printOnly) {
+			printPublicKeyInstructions(publicKeyPEM);
+			return;
+		}
+		p.log.info("Preparing to write public key to native configuration files...");
+		const androidParser = new AndroidConfigParser(config.platform.android.stringResourcePaths);
+		const iosParser = new IosConfigParser(config.platform.ios.infoPlistPaths);
+		const androidExists = await androidParser.exists();
+		const iosExists = await iosParser.exists();
+		if (!androidExists && !iosExists) {
+			p.log.error("No native configuration files found.");
+			p.log.info("Tip: Use --print-only to display the key for manual configuration.");
+			process.exit(1);
+		}
+		console.log("");
+		p.log.step("Files to be updated:");
+		if (androidExists) {
+			const androidPaths = config.platform.android.stringResourcePaths;
+			if (androidPaths.length === 1) p.log.info(`  Android: ${androidPaths[0]} (${ANDROID_KEY})`);
+			else {
+				p.log.info(`  Android (${ANDROID_KEY}):`);
+				for (const androidPath of androidPaths) p.log.info(`    - ${androidPath}`);
+			}
+		}
+		if (iosExists) {
+			const iosPaths = config.platform.ios.infoPlistPaths;
+			if (iosPaths.length === 1) p.log.info(`  iOS: ${iosPaths[0]} (${IOS_KEY})`);
+			else {
+				p.log.info(`  iOS (${IOS_KEY}):`);
+				for (const iosPath of iosPaths) p.log.info(`    - ${iosPath}`);
+			}
+		}
+		console.log("");
+		if (!options.yes) {
+			const shouldContinue = await p.confirm({
+				message: "Write public key to native files?",
+				initialValue: true
+			});
+			if (p.isCancel(shouldContinue) || !shouldContinue) {
+				p.cancel("Operation cancelled");
+				process.exit(0);
+			}
+		}
+		const results = [];
+		if (androidExists) results.push(await writePublicKeyToAndroid(publicKeyPEM.trim(), config.platform.android.stringResourcePaths));
+		if (iosExists) results.push(await writePublicKeyToIos(publicKeyPEM.trim(), config.platform.ios.infoPlistPaths));
+		console.log("");
+		for (const result of results) if (result.success) p.log.success(`${result.platform}: Updated ${result.paths.join(", ")}`);
+		else p.log.error(`${result.platform}: ${result.error}`);
+		const successCount = results.filter((r) => r.success).length;
+		console.log("");
+		if (successCount === results.length) {
+			p.log.success("Public key written to all native files!");
+			p.log.info("Next step: Rebuild your native app to apply the changes.");
+		} else if (successCount > 0) p.log.warn("Public key written to some files. Check errors above.");
+		else {
+			p.log.error("Failed to write public key to any native files.");
+			process.exit(1);
+		}
+	} catch (error) {
+		p.log.error(`Failed to export public key: ${error.message}`);
+		process.exit(1);
+	}
+};
+async function removePublicKeyFromAndroid(customPaths) {
+	try {
+		const androidParser = new AndroidConfigParser(customPaths);
+		if (!await androidParser.exists()) return {
+			platform: "android",
+			paths: [],
+			success: true,
+			found: false
+		};
+		const existing = await androidParser.get(ANDROID_KEY);
+		if (!existing.value) return {
+			platform: "android",
+			paths: existing.paths,
+			success: true,
+			found: false
+		};
+		return {
+			platform: "android",
+			paths: (await androidParser.remove(ANDROID_KEY)).paths,
+			success: true,
+			found: true
+		};
+	} catch (error) {
+		return {
+			platform: "android",
+			paths: [],
+			success: false,
+			found: true,
+			error: error.message
+		};
+	}
+}
+async function removePublicKeyFromIos(customPaths) {
+	try {
+		const iosParser = new IosConfigParser(customPaths);
+		if (!await iosParser.exists()) return {
+			platform: "ios",
+			paths: [],
+			success: true,
+			found: false
+		};
+		const existing = await iosParser.get(IOS_KEY);
+		if (!existing.value) return {
+			platform: "ios",
+			paths: existing.paths,
+			success: true,
+			found: false
+		};
+		return {
+			platform: "ios",
+			paths: (await iosParser.remove(IOS_KEY)).paths,
+			success: true,
+			found: true
+		};
+	} catch (error) {
+		return {
+			platform: "ios",
+			paths: [],
+			success: false,
+			found: true,
+			error: error.message
+		};
+	}
+}
+/**
+* Remove public keys from native configuration files.
+* Automatically detects and removes keys from both iOS and Android.
+*
+* Usage: npx hot-updater keys remove [--yes]
+*/
+const keysRemove = async (options = {}) => {
+	const config = await loadConfig(null);
+	const androidParser = new AndroidConfigParser(config.platform.android.stringResourcePaths);
+	const iosParser = new IosConfigParser(config.platform.ios.infoPlistPaths);
+	const [androidExists, iosExists] = await Promise.all([androidParser.exists(), iosParser.exists()]);
+	if (!androidExists && !iosExists) {
+		p.log.info("No native configuration files found.");
+		return;
+	}
+	const [androidKey, iosKey] = await Promise.all([androidExists ? androidParser.get(ANDROID_KEY) : Promise.resolve({
+		value: null,
+		paths: []
+	}), iosExists ? iosParser.get(IOS_KEY) : Promise.resolve({
+		value: null,
+		paths: []
+	})]);
+	const foundKeys = [];
+	if (iosKey.value) foundKeys.push(`iOS: ${iosKey.paths.join(", ")}`);
+	if (androidKey.value) foundKeys.push(`Android: ${androidKey.paths.join(", ")}`);
+	if (foundKeys.length === 0) {
+		p.log.info("No public keys found in native files.");
+		return;
+	}
+	console.log("");
+	p.log.step("Found public keys in:");
+	for (const key of foundKeys) p.log.info(`  • ${key}`);
+	console.log("");
+	if (!options.yes) {
+		const shouldContinue = await p.confirm({
+			message: "Remove public keys from these files?",
+			initialValue: false
+		});
+		if (p.isCancel(shouldContinue) || !shouldContinue) {
+			p.cancel("Operation cancelled");
+			return;
+		}
+	}
+	const results = [];
+	if (iosKey.value) results.push(await removePublicKeyFromIos(config.platform.ios.infoPlistPaths));
+	if (androidKey.value) results.push(await removePublicKeyFromAndroid(config.platform.android.stringResourcePaths));
+	console.log("");
+	for (const result of results) if (result.success && result.found) p.log.success(`Removed ${result.platform === "ios" ? IOS_KEY : ANDROID_KEY} from ${result.paths.join(", ")}`);
+	else if (!result.success) p.log.error(`${result.platform}: ${result.error}`);
+	const successCount = results.filter((r) => r.success && r.found).length;
+	console.log("");
+	if (successCount > 0) {
+		p.log.success("Public keys removed from native files!");
+		console.log("");
+		p.log.info("Next steps:");
+		p.log.info("  1. Rebuild your native apps");
+		p.log.info("  2. Release to app stores");
+		p.log.info("  3. Deploy unsigned bundles with `npx hot-updater deploy`");
+	}
+};
+
 //#endregion
 //#region src/commands/migrate.ts
 /**
@@ -37447,6 +38012,17 @@ fingerprintCommand.command("create").description("Create fingerprint").action(ha
 const channelCommand = program.command("channel").description("Manage channels");
 channelCommand.action(handleChannel);
 channelCommand.command("set").description("Set the channel for Android (BuildConfig) and iOS (Info.plist)").argument("<channel>", "the channel to set").action(handleSetChannel);
+const keysCommand = program.command("keys").description("Code signing key management");
+keysCommand.command("generate").description("Generate RSA key pair for code signing").option("-o, --output <dir>", "output directory for keys", "./keys").option("-k, --key-size <size>", "key size (2048 or 4096)", (value) => {
+	const size = Number.parseInt(value, 10);
+	if (size !== 2048 && size !== 4096) {
+		p.log.error("Key size must be 2048 or 4096");
+		process.exit(1);
+	}
+	return size;
+}, 4096).action(keysGenerate);
+keysCommand.command("export-public").description("Export public key for native configuration").option("-i, --input <path>", "path to private key file (default: from config signing.privateKeyPath in hot-updater.config.ts)").option("-p, --print-only", "only print the public key without writing to native files").option("-y, --yes", "skip confirmation prompt when writing to native files").action(keysExportPublic);
+keysCommand.command("remove").description("Remove public keys from native configuration files").option("-y, --yes", "skip confirmation prompt").action(keysRemove);
 program.command("deploy").description("deploy a new version").addOption(platformCommandOption).addOption(new Option("-t, --target-app-version <targetAppVersion>", "specify the target app version (semver format e.g. 1.0.0, 1.x.x)").argParser((value) => {
 	if (!(0, import_valid.default)(value)) {
 		p.log.error("Invalid semver format (e.g. 1.0.0, 1.x.x)");

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "hot-updater",
   "type": "module",
-  "version": "0.22.2",
+  "version": "0.23.0",
   "bin": {
     "hot-updater": "./dist/index.js"
   },
@@ -55,11 +55,11 @@
     "kysely": "0.28.8",
     "sql-formatter": "15.6.10",
     "cosmiconfig-typescript-loader": "5.0.0",
-    "@hot-updater/cli-tools": "0.22.2",
-    "@hot-updater/console": "0.22.2",
-    "@hot-updater/core": "0.22.2",
-    "@hot-updater/plugin-core": "0.22.2",
-    "@hot-updater/server": "0.22.2"
+    "@hot-updater/cli-tools": "0.23.0",
+    "@hot-updater/console": "0.23.0",
+    "@hot-updater/core": "0.23.0",
+    "@hot-updater/plugin-core": "0.23.0",
+    "@hot-updater/server": "0.23.0"
   },
   "devDependencies": {
     "semver": "^7.6.3",
@@ -89,12 +89,12 @@
     "plist": "^3.1.0",
     "read-package-up": "^11.0.0",
     "uuidv7": "^1.0.2",
-    "@hot-updater/aws": "0.22.2",
-    "@hot-updater/server": "0.22.2",
-    "@hot-updater/firebase": "0.22.2",
-    "@hot-updater/cloudflare": "0.22.2",
-    "@hot-updater/supabase": "0.22.2",
-    "@hot-updater/test-utils": "0.22.2"
+    "@hot-updater/aws": "0.23.0",
+    "@hot-updater/server": "0.23.0",
+    "@hot-updater/firebase": "0.23.0",
+    "@hot-updater/cloudflare": "0.23.0",
+    "@hot-updater/supabase": "0.23.0",
+    "@hot-updater/test-utils": "0.23.0"
   },
   "peerDependencies": {
     "@hot-updater/aws": "*",