Roll back a Patch
If you discover that a live patch has a bug, Shorebird supports patch roll back. When a patch is rolled back, it is remotely uninstalled from end users’ devices and replaced by either the previous patch or the base release if no previous patch is available.
In the Shorebird Console, navigate to the release that contains the patch you want to roll back. On the right side of the patch row, click the “more” icon (three vertical dots) and select “Rollback”:
Imagine we have a release with three patches:
When a user downloads this release from the store, Shorebird will see that patch 3 is the latest available patch and download it.
If we discover that there is a problem with patch 3, we can roll it back. The Console will look like this after a rollback:
Users who download the app from the store will now get patch 2 instead of patch 3. Users who already had patch 3 installed will be downgraded to patch 2.
When a Shorebird app checks for new patches, the server includes in its response a list of rolled back patches. If the device has any rolled back patches installed, it deletes them and reverts to the last “good” patch, which will be visible the next time the app starts.
Shorebird includes safety features to prevent needing to issue the manual rollback of a patch.
shorebird patch also generates a hash of your patch file which is stored
separately from the patch and checked every time your patch is installed, or
booted from on the user’s device.
Customers are also encouraged to use Shorebird’s patch-signing feature to cryptographically sign patch files. This uses the same cryptographic algorithms used in the Google and Apple app stores. When enabled, your public key is included in your app bundle and a patch’s signature is checked on every install and boot to ensure your app can never accept a patch file not signed by your secret key.
Finally Shorebird’s updater includes automatic on-device rollback. If for any reason a patch’s hash or signature does not match, the patch is discarded. If for any reason a patch fails to load into the Dart runtime, a patch will be marked “bad” on that device, and the app will be automatically rolled back to the latest installed patch.
The previous patch file is always kept on disk until at least one successful boot is made of the next patch, after which a patch file is automatically cleaned up from the user’s device to minimize disk usage.
All of code which implements these integrity measures is of course open source and available for review on GitHub. An overview of our code locations is available under Architecture.
See also Shorebird Public Security Policies.