docs: add a section on automatic rollback (#315)

eseidel · bryanoltman · web-flow · commit 41669e6fd87e · 2024-12-02T21:56:09.000Z
* docs: add a section on automatic rollback

* Update src/content/docs/code-push/rollback.mdx

Co-authored-by: Bryan Oltman &lt;bryan@shorebird.dev&gt;

---------

Co-authored-by: Bryan Oltman &lt;bryan@shorebird.dev&gt;
diff --git a/src/content/docs/code-push/release.mdx b/src/content/docs/code-push/release.mdx
@@ -63,7 +63,7 @@ shorebird release android --target ./lib/main_development.dart --flavor developm
 build` can. To pass arguments to the underlying `flutter build` you need to put
 `flutter build` arguments after a `--` separator. For example: `shorebird
 release android -- --dart-define="foo=bar"` will define the `"foo"` environment
-variable inside Dart as you might have done with `flutter build` directly.  In
+variable inside Dart as you might have done with `flutter build` directly. In
 Powershell the `--` separator must be quoted: `'--'`.
 :::
 
diff --git a/src/content/docs/code-push/rollback.mdx b/src/content/docs/code-push/rollback.mdx
@@ -47,3 +47,36 @@ If you app needs to download an older patch as part of a rollback,
 installing that patch will count against your monthly patch installs. If you
 have no remaining patch installs, the app will revert to the base release.
 :::
+
+## Patch Integrity and Automatic Rollback
+
+Shorebird includes safety features to prevent needing to issue the manual
+rollback of a patch.
+
+`shorebird patch` also generates a hash of your patch file which is stored
+separately from the patch and checked every time your patch is installed, or
+booted from on the user's device.
+
+Customers are also encouraged to use Shorebird's [patch-signing
+feature](https://docs.shorebird.dev/guides/patch-signing/) to cryptographically
+sign patch files. This uses the same cryptographic algorithms used in the
+Google and Apple app stores. When enabled, your [public
+key](https://en.wikipedia.org/wiki/Public-key_cryptography) is included in your
+app bundle and a patch's signature is checked on every install and boot to
+ensure your app can never accept a patch file not signed by your secret key.
+
+Finally Shorebird's [updater](https://github.com/shorebirdtech/updater) includes
+automatic on-device rollback. If for any reason a patch's hash or signature does
+not match, the patch is discarded. If for any reason a patch fails to load into
+the Dart runtime, a patch will be marked "bad" on that device, and the app will
+be automatically rolled back to the latest installed patch.
+
+The previous patch file is always kept on disk until at least one successful
+boot is made of the next patch, after which a patch file is automatically
+cleaned up from the user's device to minimize disk usage.
+
+All of code which implements these integrity measures is of course open source
+and available for review on [GitHub](https://github.com/shorebirdtech/). An
+overview of our code locations is available under [Architecture](/architecture).
+
+See also [Shorebird Public Security Policies](https://handbook.shorebird.dev/security/).
