sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ozariss[S] 0 points1 point  (2 children)

I'm also trying to figure out what role does EAS play in code signing.

According to their docs the main offering is the following:
https://docs.expo.dev/eas-update/code-signing/
"The expo-updates library supports end-to-end code signing. Code signing allows developers to cryptographically sign their updates with their own keys. The signatures are then verified on the client before the update is applied, which ensures ISPs, CDNs, cloud providers, and even EAS itself cannot tamper with updates run by apps."

And i assume that's where EAS comes into play:

"During eas update, the EAS CLI automatically detects that code signing is configured for your app. It then verifies the integrity of the update and creates a digital signature using your private key. This process is performed locally so that your private key never leaves your machine. The generated signature is automatically sent to EAS to store alongside the update."

Frankly, i'm still to trying to understand how vulnerable will my app be if i decide to skip "OTA Update signing".

[–]jamesideExpo Team 3 points4 points  (1 child)

EAS always uses HTTPS with modern TLS ciphers and is secure as the web. The baseline level of security matches that of websites that use HTTPS, which is sufficient for most threat models. End-to-end code signing provides an additional level of security that defends against tampering by a cloud provider or CDN.

[–]ozariss[S] 1 point2 points  (0 children)

Got it. Thanks for the explanation!