Skip to content

Secure releases & self-update

rtb-update will only replace the running binary with an artefact it can verify. That guarantee depends on how you build and publish releases.

Build artefacts the updater trusts

For every release archive, publish alongside it:

  1. An Ed25519 detached signature over the archive, produced with your release signing key.
  2. A SHA-256 .sum of the archive.

The update subsystem verifies both before calling self-replace. A mismatch on either aborts the swap and leaves the existing binary untouched — the binary on disk is always either the old version or the fully-verified new one, never a partial write.

The release toolchain (dist for artefact builds, cargo-release for version bumps + tagging) is wired to emit the signature and checksum; see the release section of the project README / CONTRIBUTING.

Supported targets

Binaries ship for darwin-{aarch64,x86_64}, linux-{aarch64,x86_64,musl}, and windows-{aarch64,x86_64}.

Wire the updater

use rtb_update::{CheckOutcome, RunOptions, Updater};

# async fn check(app: &rtb_app::app::App, provider: std::sync::Arc<dyn rtb_vcs::ReleaseProvider>) -> Result<(), rtb_update::UpdateError> {
let updater = Updater::builder().app(app).provider(provider).build();

match updater.check().await? {
    CheckOutcome::Newer { latest, .. } => {
        println!("updating to {latest}");
        updater.run(RunOptions::default()).await?;
    }
    CheckOutcome::UpToDate { .. } => println!("already current"),
    CheckOutcome::Older { .. } => println!("local build ahead of upstream; not downgrading"),
}
# Ok(())
# }

The ReleaseProvider is selected by ToolMetadata::release_source and wrapped in Arc<dyn ReleaseProvider> — downstream tools never import octocrab or gitlab directly. See rtb-vcs.

Airgapped updates

Updater::run_from_file verifies and swaps from a locally-staged archive, for environments with no network path to the release host. The same signature + checksum verification applies.

Dry run

Set RunOptions { dry_run: true, .. } to verify and stage the new binary into the cache dir without swapping — useful for validating a release pipeline end to end.