fix(CodeSigningPlugin): sign assets at processAssets ANALYSE stage before REPORT by JhohellsDL · Pull Request #1379 · callstack/repack

JhohellsDL · 2026-04-11T18:06:12Z

Summary

CodeSigningPlugin was signing bundles in compiler.hooks.assetEmitted,
which fires after processAssets completes. When using withZephyr(),
Zephyr captures and uploads assets at PROCESS_ASSETS_STAGE_REPORT (5000)
— before assetEmitted fires — resulting in unsigned bundles being uploaded
to the CDN, making verifyScriptSignature: 'strict' ineffective.

Changes

Moved signing logic from assetEmitted to processAssets at
PROCESS_ASSETS_STAGE_ANALYSE (2000), before Zephyr's REPORT stage (5000)
Assets are now signed in memory via compilation.updateAsset()
instead of reading/writing from disk
Removed chunkFilenames Set and emit hook — no longer needed since
signing iterates compilation.chunks directly inside processAssets
Added test verifying assets are signed before REPORT stage
Updated documentation with ## Behavior section explaining the signing stage

Testing

All existing tests pass
Added new test simulating a plugin at REPORT stage confirming
assets are already signed when captured
Verified end-to-end in production with withZephyr() — bundles
uploaded to CDN now contain the signature and verifyScriptSignature: 'strict'
works correctly

…fore REPORT

changeset-bot · 2026-04-11T18:06:15Z

🦋 Changeset detected

Latest commit: b7f7682

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages

Name	Type
@callstack/repack	Patch
@callstack/repack-plugin-expo-modules	Patch
@callstack/repack-plugin-nativewind	Patch
@callstack/repack-plugin-reanimated	Patch
@callstack/repack-dev-server	Patch
@callstack/repack-init	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

vercel · 2026-04-11T18:06:17Z

@JhohellsDL is attempting to deploy a commit to the Callstack Team on Vercel.

A member of the Team first needs to authorize it.

dannyhw · 2026-04-13T13:33:21Z

Is there some simple way to test this locally? What would you recommend? @JhohellsDL

MikitasK

the PR is pretty solid 👍

I tested it locally with apps/tester-app using temporary processAssets REPORT-stage capture plugin & the results satisfied my expectations:

capture report showed all remote chunks signed at REPORT stage (they're showed unsigned on main branch tho)
remote chunk loads successfully when verifyScriptSignature: 'strict' & public key embedded in the app

Screen.Recording.2026-04-14.at.17.17.40.mp4

can you just consider a few suggestions before merge:

…adability

MikitasK

LGTM 🙌

dannyhw · 2026-04-21T17:22:12Z

@JhohellsDL could you please take a look and resolve the linting errors

…t readability

JhohellsDL · 2026-04-21T17:40:31Z

@dannyhw, thanks for the feedback! I’ve addressed the linting issues and pushed an update. Please take another look.

jbroma

few nits, LGTM overall 👍

dannyhw · 2026-04-22T09:25:53Z

@JhohellsDL if you can address those last comments I think we can move forward and merge this 👍

…ingPlugin

JhohellsDL · 2026-04-22T13:33:09Z

@dannyhw, Ready, I’ve addressed the comments. I’ll keep an eye out for any further feedback 👍

dannyhw · 2026-04-22T20:49:23Z

Thanks @JhohellsDL, appreciate your responsiveness and all your hard work 🙇‍♂️

dannyhw

thanks for your contribution 🙇‍♂️

fix(CodeSigningPlugin): sign assets at processAssets ANALYSE stage be…

dc3d3fe

…fore REPORT

JhohellsDL mentioned this pull request Apr 11, 2026

CodeSigningPlugin signs too late (assetEmitted) – incompatible with in-memory asset consumers (e.g. Zephyr) #1377

Closed

MikitasK reviewed Apr 14, 2026

View reviewed changes

refactor(CodeSigningPlugin): extract signAsset method for improved re…

94a9e64

…adability

MikitasK approved these changes Apr 15, 2026

View reviewed changes

refactor(CodeSigningPlugin): simplify hash generation and improve tes…

21cd79b

…t readability

jbroma approved these changes Apr 21, 2026

View reviewed changes

Comment thread website/src/v4/docs/plugins/code-signing.md

Comment thread website/src/latest/api/plugins/code-signing.md

Comment thread packages/repack/src/plugins/CodeSigningPlugin/CodeSigningPlugin.ts

refactor(CodeSigningPlugin): add constructor description for CodeSign…

ec0f398

…ingPlugin

dannyhw and others added 2 commits April 22, 2026 22:09

fix: linting

b204e05

Merge branch 'main' into fix/code-signing-plugin-zephyr-timing

b7f7682

dannyhw approved these changes Apr 23, 2026

View reviewed changes

dannyhw merged commit 8ab3105 into callstack:main Apr 23, 2026
3 of 4 checks passed

Conversation

JhohellsDL commented Apr 11, 2026

Summary

Changes

Testing

Uh oh!

changeset-bot Bot commented Apr 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🦋 Changeset detected

Uh oh!

vercel Bot commented Apr 11, 2026

Uh oh!

dannyhw commented Apr 13, 2026

Uh oh!

MikitasK left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

MikitasK left a comment

Choose a reason for hiding this comment

Uh oh!

dannyhw commented Apr 21, 2026

Uh oh!

JhohellsDL commented Apr 21, 2026

Uh oh!

jbroma left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dannyhw commented Apr 22, 2026

Uh oh!

JhohellsDL commented Apr 22, 2026

Uh oh!

dannyhw commented Apr 22, 2026

Uh oh!

dannyhw left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

changeset-bot Bot commented Apr 11, 2026 •

edited

Loading

MikitasK left a comment •

edited

Loading