All Products
Search
Document Center

Use SDK

Last Updated: Mar 24, 2021

After adding the SDK, you need to complete the following steps to integrate Hotpatch to your project:

  1. Configure project
  2. Manage encrypted information
  3. Synchronize server script
  4. Hot fix online problem

Configure project

After adding an SDK, you need to configure a project as follows:

  1. Set Product Version in the info.plist file to specify the app version. The app released on the release platform must be of the configured version.

    infoplist

  2. The release platform supports gray release based on a whitelist. If a whitelist is released, the server determines whether to deliver a hotpatch package to a client based on the whitelist when the client requests a hotpatch script from the server. Therefore, the client needs to specify userId in category of MPaaSInterface.

    userid

Upgrade precautions

The Product ID parameter in info.plist is no longer required since version 10.1.32. The mPaaS middle tier reads the product ID from meta.config. Category in the DynamicReleaseInterface class of earlier versions is neither required. After an upgrade, check for earlier-version configurations in the project and remove them if any.

Manage encrypted information

The hotpatch function has a custom signature verification process to ensure the correctness of script sources. You need to use mPaaS Xcode Extension to encrypt and sign the original JavaScript file and then upload it to the release platform. The procedure is as follows:

  1. Read the script content and encrypt the content by using MD5.
  2. Read the script content in binary format and encrypt the binary content by using AES128.
  3. Create a .zip file and add the previously encrypted content to the .zip file.
  4. Read the .zip file content in binary format, and encrypt the content by using AES128. The encrypted content is saved in a .zip file.
  5. Read the .zip file content in binary format and use the SHA1 algorithm to sign it.
  6. Read the .zip file content in binary format, and generate a script package containing the binary file content, data delimiters, and signature data.

The client obtains the script package from the release platform and unsigns it in the reverse order to obtain the executable script.

During signature verification and encryption/decryption for the hotpatch script, a pair of keys for RSA asymmetric encryption and a key for AES symmetric encryption are involved. Each app must use its own keys to ensure script delivery security.

Manage RSA asymmetric encryption

You need to manage RSA asymmetric encryption as follows:

  1. Run the following commands to generate a public key file (public_key.pem) and a private key file (private_key.pem):

    1. openssl genrsa -out private_key.pem 2048
    2. openssl rsa -in private_key.pem -pubout -out public_key.pem
  2. Add the public key file to the project.
    公钥

  3. In main.m, verify the signature of the public key to ensure that the public key file is not replaced. The procedure is as follows:

    1. Run the following command to generate a binary signature string of the public key file:

      1. mpaas inst hotpatch sign -i /path/to/rsa_public_key.pem -p /path/to/rsa_private_key.pem -o /path/to/output.sig
      • -i: public key file public_key.pem generated by using OpenSSL
      • -p: private key file private_key.pem generated by using OpenSSL
      • -o: of the binary signature string output file

        sign

    2. Copy the displayed signature array to the main.m method to sign the public key. The code sample is as follows:

      1. #import <MPDynamicAdapter/MPDynamicInterface.h>
      2. static BOOL initDynamicSec()
      3. {
      4. char sig[] = {0xa,0xbb,0xe7,0x59,0x3a,0xf3,0x25,0x71,0x2d,0x24,0x35,0xac,0x69,0x5a,0x6b,0x4e,0x92,0x8f,0xf0,0x8c,0xcd,0xd,0x38,0x4,0xe2,0x97,0xb8,0x2a,0xe1,0xf7,0x6a,0x57,0xd9,0x9d,0x1b,0x6d,0x8b,0x3,0xc6,0x8d,0xc5,0xa,0x57,0x39,0x7b,0x98,0xe1,0xca,0x74,0x93,0xf8,0xf1,0x15,0xbd,0xfe,0x4,0x7,0x24,0xa5,0xda,0xe8,0x37,0x4e,0x8d,0x9b,0x56,0x86,0xe9,0xc2,0x2c,0x60,0x8f,0x9f,0x99,0x40,0xf1,0x97,0x97,0x15,0xd1,0x26,0x87,0x79,0x24,0x79,0x20,0xd6,0x96,0x62,0x70,0xbe,0x7c,0xda,0x1,0x63,0xe9,0x19,0xe1,0x1f,0x5a,0xc2,0x1b,0x97,0x1a,0xdb,0x11,0xbd,0xee,0xdc,0x40,0x99,0xc1,0x54,0x6e,0x9a,0x30,0xb2,0x44,0x45,0x64,0xa9,0xc,0xea,0x86,0x4c,0x7d,0x91,0x30,0xf5,0x41,0xe,0x30,0x8f,0x9c,0x85,0xdb,0xd,0xc1,0xc1,0xec,0x7d,0x31,0xb,0x77,0xce,0xf2,0xd5,0x5,0xd1,0xe9,0x32,0xf7,0x15,0xa5,0x53,0x79,0xee,0x55,0x86,0x2c,0x9a,0x30,0x2b,0xd,0xe9,0x36,0x9,0x31,0x26,0xa5,0x6d,0xaf,0xd,0xd5,0x72,0x16,0xd2,0xd7,0x2c,0x88,0x13,0x6a,0x87,0xf0,0x4c,0x7e,0xb0,0x34,0xc,0x2a,0x75,0xc3,0x71,0x18,0x6f,0xbc,0xc9,0x8a,0xb9,0x50,0xdd,0x7,0x19,0x76,0x7d,0x2d,0xcf,0x2d,0xc0,0xa6,0xe7,0x1d,0x48,0x26,0x6,0xee,0x2,0xb,0x5a,0x85,0x36,0x54,0x7e,0x9a,0x4d,0xf6,0x27,0x9c,0x30,0xc8,0x63,0x74,0x8b,0x82,0x9b,0x64,0x3b,0xd6,0x13,0x53,0xdc,0x36,0xb5,0xbc,0xb2,0x6a,0xd0,0x8f,0x18,0xbd,0x2a,0x5c,0x4b,0x4,0xc1,0x45};
      5. NSString *path;
      6. path = [[NSBundle mainBundle] pathForResource:@"public_key" ofType:@"pem"];
      7. return [MPDynamicInterface initDynamicSecWithPublicKey:path signature:sig sigLength:sizeof(sig)];
      8. }
      9. int main(int argc, char * argv[]) {
      10. @autoreleasepool {
      11. BOOL ret = initDynamicSec();
      12. if (NO == ret) {
      13. NSLog(@"The public key is modified.");
      14. }
      15. return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
      16. }
      17. }
    Note: If initDynamicSec() returns NO, the public and private keys do not match and need to be changed. The mismatch between the public and private keys leads to the failure to verify the package delivered by the platform on the client, thereby resulting in a hotpatch failure.

Manage AES symmetric encryption

The AES symmetric encryption key is stored in the Security Guard pictureyw_1222.jpg.

  • Public cloud: After you complete basic access steps by referring to the hotpatch SDK document, a Security Guard picture is automatically generated in the project. You do not need to perform any further operations.
  • Private cloud: Generate a private cloud Security Guard picture .

Synchronize server script

Ensure that the client calls the synchronization API provided by the SDK to execute the hotpatch logic, including obtaining the hotpatch script delivered by the server, executing the script, and performing a rollback.

Based on a native framework

Call the following method (in the didFinishLauncher method as recommended) after the program starts:

  1. [MPDynamicInterface initDynamicSyncLocalFile];

Based on the mPaaS framework

DFClientDelegate of the mPaaS framework takes over the app life cycle. The hotpatch synchronization API will be called automatically when the program starts. No manual operation is required.

Hot fix online problem

When a bug is detected online, you can replace the incorrect code online with the JSPatch and then push the new code to the client through the release platform. The procedure is as follows:

  1. Generate script
  2. Encrypt script
  3. Release script

Generate script

The procedure for generating script is as follows:

  1. Locate the cause of the bug, and use the native Objective-C code to fix the bug locally and verify that the bug is fixed.
  2. After the verification, use the online tool JSPatchConvertor to convert the Objective-C code into a JavaScript file. For more information about conversion rules, see JSPatch.jspatch
  3. To verify the JavaScript file (assume that the script is Test.js), drag the JavaScript file to the project, manually call the JavaScript file (in didFinishLaunchingWithOptions as recommended) when the program starts, and check whether the bug is fixed. The code sample is as follows:

    1. NSString *file = [[[NSBundle mainBundle] resourcePath] stringByAppendingPathComponent:[NSString stringWithFormat:@"Test.js"]];
    2. [MPDynamicInterface runDynamicLocalFile:file];
  4. After the verification, delete the test code and Test.js script to prevent them from affecting the original code logic.

Encrypt script

For security purposes, locally verified JavaScript files can be submitted to the release platform only after being packed and encrypted.

The procedure is as follows:

  1. Use the mPaaS Xcode Extension plug-in to generate a hotpatch resource package.

    Parameters in the preceding figure are described as follows:

    • Script file: JavaScript file verified locally.
    • App Secret: appsecret on the mPaaS console. Please enter the secret manually if it’s not filled in automatically.
    • Private key file: private key file paired with the public key file that is added to the project. For more information, see Manage encryption information > Manage RSA asymmetric encryption.
  2. View files in the hotpatch resource package, which is stored in a directory at the same level as the JavaScript file by default. The package contains the following files:
    • Test.js: JavaScript file to be uploaded to the release platform.
    • Test. sig: encrypted signature file.
    • Test.zip: encrypted script file that is used to verify the encryption algorithm before the JavaScript file is uploaded to the release platform.
      Resource package
  3. To verify the encrypted JavaScript file, drag the Test.zip file to the project, manually execute the Test.zip file (in didFinishLaunchingWithOptions as recommended) when the program starts, and check whether the bug is fixed.

    1. NSString *file = [[[NSBundle mainBundle] resourcePath] stringByAppendingPathComponent:[NSString stringWithFormat:@"Test.zip"]];
    2. [MPDynamicInterface runDynamicLocalSecFile:file];
  4. After the test is passed, delete the test code and Test.zip package to avoid affecting the original code logic.
Note: If the verification succeeds, symmetric encryption and decryption are correct. In addition, you need to ensure that asymmetric encryption is correct. For more information, see the description of the initDynamicSec() method in Manage encryption information > Manage RSA asymmetric encryption.

Release script

After the encrypted script passes the verification in the previous step, upload the encrypted Test.js file to the release platform for online repair verification. For more information about the hotpatch release process, see Hotpatch management.