I have set-up a hyperledger fabric network with four nodes in the development phase and I want to know if there is a way to give the nodejs chaincode(for installation) to production team without exposing the source code(chaincode), something like a jar file in java project. Will packaging a chaincode help me? If not, what is the use of packaging a chaincode when we can directly install the chaincode without packaging.
From whatever I have come across (working with Go chaincode):
1) No. The chaincode binary cannot be directly installed without having the source code. So, you cannot circulate chaincode binary or jar.
2) Packaging will not help you hide the source code. Even after one identity signs and packages a chaincode, the others should be able to review and add their signatures to this already signed package. This is used to establish 'owners' of the chaincode and also to ensure that all the necessary 'owners' of the chaincode have signed it as defined in the chaincode instantiation policy.
From the docs: Ref: https://hyperledger-fabric.readthedocs.io/en/release-1.4/chaincode4noah.html#packaging
A package consists of:
a) ChaincodeDeploymentSpec or CDS
b) Instantiation policy
c) Signatures
The signatures serve the following purposes:
a) To establish an ownership of the chaincode.
b) To allow verification of the contents of the package.
c) To allow detection of package tampering.
So, in my opinion, packaging helps in:
a) Identifying the owners of the chaincode (through signatures).
b) Allowing instantiation of chaincode only when the package has necessary signatures as defined in instantiation policy. This ensures all chaincode owners have reviewed and signed the package.