Package Hash missmatch with Code Signing

[ludufre]

If release an update with Code Signing the package_hash stored in database have to be equal the hash inside JWT token (.codepushrelease). What is calculated by the server mismatch the hash inside JWT of the bundle.

Steps to reproduce:

• Generate public and private key
• Add the public key to config.xml <preference name="CodePushPublicKey" value="MIIBIjANB..."> (without ----BEGIN--- and without breaklines)
• Release update with --privateKeyPath pointing to private key file.
• Try update from the App.
• You'll receive: The update contents failed the data integrity check.. StackTrace: packageHashSuccess

To fix:

• Copy the bundle file from the server to your machine, add .zip to filename and extract.
• Open the www/.codepushrelease and copy the content (this is a JWT).
• Paste on https://jwt.io and copy the contentHash
• Replace the column packages.update_hash with contentHash value.
• Make sure refresh packages cache from server.
• Try update again, and works.

[rocwind]

Hi @ludufre ,
thanks for reporting the issue.
would you please let us known the code-push-cli and react-native-code-push versions that you were using?
Since we are using this code push server with code signing on as well and didn't see such issue recently. the packages that works for us:

• @shm-open/code-push-server@1.0.6
• @shm-open/code-push-cli@2.5.2
• react-native-code-push@7.0.2 with patch fix: fix new File by only fileName microsoft/react-native-code-push#2149

[ludufre]

Hi @rocwind,
Actually I'm using cordova-plugin-code-push@latest.
I figured out whats happening. After upload an signed package, the hash saved in database is updated after check of the manifest.

As tried to access a folder that did not exist (public/) I gave an error and did not update the hash. I changed the folder to (www/).

I've just update this line and works: https://github.com/ludufre/code-push-server/blob/master/core/utils/security.js#L207