Basic packaging
vibe package vibe.yaml -o myapp.vibeapp
.vibeapp archive containing:
- The
vibe.yaml manifest
- All referenced assets
- Optional seed data (initial state)
With encryption
# Provide password on the command line (visible in shell history — avoid in CI)
vibe package vibe.yaml -o myapp.vibeapp --password "my-secret-password"
# Read password from a file (preferred)
vibe package vibe.yaml -o myapp.vibeapp --password-file secrets/pw.txt
# Omit --password to be prompted interactively (most secure)
vibe package vibe.yaml -o myapp.vibeapp
With seed data
Seed data is a directory of pre-populated content that gets embedded as the app’s initial state. Each subdirectory becomes a signed _vibe_initial_state/<name>.tar.gz entry.
vibe package vibe.yaml -o myapp.vibeapp --seed-data ./initial-data/
Signing
Always sign packages you distribute publicly:
# Generate a keypair (one-time setup)
vibe keygen -o my-signing
# Sign the package
vibe sign myapp.vibeapp --key my-signing.key
# For encrypted packages, provide the password to sign
vibe sign myapp.vibeapp --key my-signing.key --password-file secrets/pw.txt
my-signing.key private. Distribute my-signing.pub to users or embed it in the macOS host app for trusted verification.
Inspect before distributing
vibe inspect myapp.vibeapp
Verify the signature
vibe verify myapp.vibeapp --key my-signing.pub
Distributing without signing (dev mode)
During development you can skip signing. Recipients will see an “Unsigned (Dev Mode)” orange warning and must explicitly acknowledge running unsigned code.
Never distribute unsigned packages publicly. Always sign before sharing with end users.
