Code signing for Apps

I’m interested in developing an app using the forge and was wondering if there is any code signing in place, when I use the CLI to bundle an app. I was looking at a tutorial video where I could observe CLI output on the console, like “packaging app files” … “uploading app”, but there was no mention of app/code signing like for example Google implemented for their mobile app releases. Is there a reason why this is not in place? Any insights would be appreciated, Thanks!

The purpose of Code Signing is being sure that the developer of the App was actually the creator of the artifact that you are about to install.

Since, when you perform the forge deploy command, you are logged in and we know who you are, which accomplishes a level of trust: we know that somebody with the App Developers credentials is uploading this code.

We may eventually implement Code Signing for Forge Apps to give ourselves an extra layer of trust but it is not high on the priority list. In my mind, it would actually be more beneficial for Atlassian Server/DC Apps that have a trust profile much closer to the Mobile App development world.

Does that help answer your question?

1 Like