DocsICP FilingConsole
官方文档
首页

Offline package and gateway FAQ

更新时间:
复制 MD 格式
产品详情
我的收藏

Answers to common questions about offline package signature verification, Mobile Gateway Service (MGS), and gateway signature verification in mPaaS.

Does signature verification for offline packages require a network connection?

No. Offline package signature verification is performed locally and does not require a network connection.

When does signature verification occur? Is the package verified automatically after download and decompression, or only when it is called?

Verification runs after download but before decompression. If it fails, the package does not load and the application falls back to the online page.

When a new offline package is opened using the startapp JSAPI, does the TitleBar become transparent automatically?

Pass the transparentTitle parameter to control TitleBar behavior. Options: AUTO, YES, and NO. Startup parameters.

What is the process for offline package signature verification?

Signature verification ensures the integrity of the offline package content and verifies its source.

  1. Configure a key pair: the private key on the server to sign packages, and the public key on the client to verify signatures.

  2. Download the .amr file from Real-time Release in the mPaaS console. If a private key is configured, the .amr file contains a ciphertext produced by encrypting the package hash with the private key.

  3. The client uses the embedded public key to decrypt the ciphertext from Step 2, then computes the package hash locally. If the two hashes match, verification passes.

Important

Signature verification prevents tampering during transfer and loading but cannot fully prevent malicious attacks. Users control the client and can crack or tamper with H5 logic. Always enforce access control on the backend. Time-sensitive activities such as flash sales require backend timestamp validation.

What is Mobile Gateway Service and what does it do?

Mobile Gateway Service (MGS) is an mPaaS component that connects mobile clients to backend servers via RPC. It simplifies client-server communication protocols, improving development efficiency and network performance. Introduction to Mobile Gateway Service.

MGS provides the following capabilities:

  • Encapsulates client-server communication using a dynamic proxy.

  • Auto-generates and exports client code when the server and client share a consistent interface.

  • Handles RpcException uniformly with dialog boxes and toast messages.

  • Provides server-side HTTP signature verification to secure gateway-to-server data.

  • When you enable signature verification for an API group in the gateway console, MGS signs each request in that group. Create the signing key pair in the gateway console.

  • The server reads the signature from the request, generates its own signature locally, and compares the two to validate the request.

  • Verifies client-to-MGS request signatures to authenticate callers. Enabled by default; disable it in the configuration file.

What is the gateway signature verification process?

RPC requests use a signature mechanism to prevent tampering or forgery. The RPC module signs requests automatically:

  1. Convert the content of the requestBody to a string.

  2. Sign the string using the Security Guard module. The signing key is stored in an encrypted image (the Security Guard image).

  3. Add the encrypted signature to the request and send it to the gateway.

  4. The gateway generates its own signature using the same method and verifies that the two signatures match.

Offline package vs. gateway signature verification

  • Similarities:

    • Both ensure client security and protect content from tampering.

    • Both methods perform data validation.

  • Differences:

    • The validation outputs differ:

      • Offline package: checks whether the package was modified after download but before decompression.

      • Gateway: checks whether the requestBody was modified.

    • Signing methods:

      • Offline package: uses a public-private key pair configured in the backend.

      • Gateway: uses Security Guard to sign requests.

    • The results of a failed signature verification vary:

      • Offline package: the H5 page is not disabled. Page data loads from the network instead, and normal use is not affected.

      • Gateway: backend validation or frontend decryption fails. The app cannot display page data correctly.

RPC gateway error codes

Error code

Description

Cause

7000

Public key not set

Security Guard has no key for the appId, or the gateway cannot retrieve the signature key for the appId.

7001

Insufficient parameters for verification

Signature verification failed on the gateway server.

7002

Verification failed

Signature verification failed on the gateway server.

7003

Verification expired

The ts timestamp in the request is outside the valid time window. Verify that the client clock is synchronized.

7007

Missing ts parameter

The request is missing the ts parameter required for verification.

7014

Missing sign parameter

The request is missing the sign parameter. This typically means the client failed to sign the data. Verify that the Security Guard image is correct.

How to troubleshoot Mobile Gateway Service call errors.

Offline package fails to open without a network connection

How to troubleshoot Mobile Gateway Service call errors.

HTML5 app loads slowly with signature verification enabled

How to troubleshoot Mobile Gateway Service call errors.

Troubleshoot abnormal RPC requests

If an RPC request fails, check the Security Guard result code descriptions for details.

Previous:H5 FAQNext:Android FAQ