Build a signed web bundle
Task 2
15 minutes
When it comes time to test and deploy your Isolated Web App, you need to bundle all of your assets together into a Signed Web Bundle. Whether you’re using the reference go/bundle command line tool, the official Node command line tools wbn and wbn-sign, or a bundler plugin (like rollup-plugin-webbundle, or webbundle-webpack-plugin), you need two things: all of your assets that you want to serve, and signing keys.
With Isolated Web Apps, one of the key security requirements is that every asset (HTML, CSS, JavaScript, fonts) a user may load in browser, except data fetches, Wasm, and media (images, audio, video, and iframe content), must be served from your signed web bundle. This includes navigation; you can’t have server-generated pages that users go to, they need to be available inside your bundle. This means there are two viable architectures for IWAs: single-page applications (SPA), and static site generated applications (SSG). How you generate your assets doesn’t matter, as long as everything is output to a single folder.
Once output, you need a signing key. Signing keys are Ed25519 or ECDSA P-256 key pairs, with the private key being used to sign the bundle and the public key used to verify the bundle. You can use OpenSSL to generate and encrypt an Ed25519 or ECDSA P-256 key:
# Generate an unencrypted Ed25519 key
openssl genpkey -algorithm Ed25519 -out private_key.pem
# or generate an unencrypted ECDSA P-256 key
openssl ecparam -name prime256v1 -genkey -noout -out private_key.pem
# Encrypt the generated key. This will ask for a passphrase, make sure to use a strong one
openssl pkcs8 -in private_key.pem -topk8 -out encrypted_key.pem
# Delete the unencrypted key
rm private_key.pemWith your encrypted signing key available, you can now use one of the command line tools to sign your IWA, or one of the bundler plugins to both build and sign your IWA.