fix(CodeSigningPlugin): sign assets at processAssets ANALYSE stage before REPORT

[JhohellsDL]

Summary

Fixes #1377

CodeSigningPlugin was signing bundles in compiler.hooks.assetEmitted,
which fires after processAssets completes. When using withZephyr(),
Zephyr captures and uploads assets at PROCESS_ASSETS_STAGE_REPORT (5000)
— before assetEmitted fires — resulting in unsigned bundles being uploaded
to the CDN, making verifyScriptSignature: 'strict' ineffective.

Changes

• Moved signing logic from assetEmitted to processAssets at
  PROCESS_ASSETS_STAGE_ANALYSE (2000), before Zephyr's REPORT stage (5000)
• Assets are now signed in memory via compilation.updateAsset()
  instead of reading/writing from disk
• Removed chunkFilenames Set and emit hook — no longer needed since
  signing iterates compilation.chunks directly inside processAssets
• Added test verifying assets are signed before REPORT stage
• Updated documentation with ## Behavior section explaining the signing stage

Testing

• All existing tests pass
• Added new test simulating a plugin at REPORT stage confirming
  assets are already signed when captured
• Verified end-to-end in production with withZephyr() — bundles
  uploaded to CDN now contain the signature and verifyScriptSignature: 'strict'
  works correctly

[changeset-bot]

🦋 Changeset detected

Latest commit: b7f7682

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages

Name	Type
@callstack/repack	Patch
@callstack/repack-plugin-expo-modules	Patch
@callstack/repack-plugin-nativewind	Patch
@callstack/repack-plugin-reanimated	Patch
@callstack/repack-dev-server	Patch
@callstack/repack-init	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

@JhohellsDL is attempting to deploy a commit to the Callstack Team on Vercel.

A member of the Team first needs to authorize it.

[dannyhw]

Is there some simple way to test this locally? What would you recommend? @JhohellsDL

[MikitasK]

the PR is pretty solid 👍

I tested it locally with apps/tester-app using temporary processAssets REPORT-stage capture plugin & the results satisfied my expectations:

1. capture report showed all remote chunks signed at REPORT stage (they're showed unsigned on main branch tho)
2. remote chunk loads successfully when verifyScriptSignature: 'strict' & public key embedded in the app

Screen.Recording.2026-04-14.at.17.17.40.mp4

can you just consider a few suggestions before merge:

[MikitasK]

LGTM 🙌

[dannyhw]

@JhohellsDL could you please take a look and resolve the linting errors

[JhohellsDL]

@dannyhw, thanks for the feedback! I’ve addressed the linting issues and pushed an update. Please take another look.

[jbroma]

few nits, LGTM overall 👍

[dannyhw]

@JhohellsDL if you can address those last comments I think we can move forward and merge this 👍

[JhohellsDL]

@dannyhw, Ready, I’ve addressed the comments. I’ll keep an eye out for any further feedback 👍

[dannyhw]

Thanks @JhohellsDL, appreciate your responsiveness and all your hard work 🙇‍♂️

[dannyhw]

thanks for your contribution 🙇‍♂️