For protection of multipart system applications using a cryptographically protected package, a package map and a package object store for decryption and verification at runtime on the target device platform, a method including associating a device class with a set of content signing and encryption keys; signing application files based on the device class of the target device platform; aggregating application files into a file container based on a structured construct; encrypting application files/file containers with an encryption key associated with the device class; generating a package map and object stores for cryptographic artifacts and detached package metadata for passwords associated with the device package; building, the device package and update packages of the device package, detached package metadata, and package install scripts for the target device platform; publishing, the update packages signed with update package provider and update package publisher signing keys, and encrypted with target device encryption key.