Secure releases & self-update¶
rtb-update will only replace the
running binary with an artefact it can verify. That guarantee depends
on how you build and publish releases.
Build artefacts the updater trusts¶
For every release archive, publish alongside it:
- An Ed25519 detached signature over the archive, produced with your release signing key.
- A SHA-256
.sumof the archive.
The update subsystem verifies both before calling
self-replace. A mismatch on either aborts the swap and leaves the
existing binary untouched — the binary on disk is always either the
old version or the fully-verified new one, never a partial write.
The release toolchain (dist for artefact builds, cargo-release for
version bumps + tagging) is wired to emit the signature and checksum;
see the release section of the project README / CONTRIBUTING.
Supported targets¶
Binaries ship for darwin-{aarch64,x86_64},
linux-{aarch64,x86_64,musl}, and windows-{aarch64,x86_64}.
Wire the updater¶
use rtb_update::{CheckOutcome, RunOptions, Updater};
# async fn check(app: &rtb_app::app::App, provider: std::sync::Arc<dyn rtb_vcs::ReleaseProvider>) -> Result<(), rtb_update::UpdateError> {
let updater = Updater::builder().app(app).provider(provider).build();
match updater.check().await? {
CheckOutcome::Newer { latest, .. } => {
println!("updating to {latest}");
updater.run(RunOptions::default()).await?;
}
CheckOutcome::UpToDate { .. } => println!("already current"),
CheckOutcome::Older { .. } => println!("local build ahead of upstream; not downgrading"),
}
# Ok(())
# }
The ReleaseProvider is selected by ToolMetadata::release_source
and wrapped in Arc<dyn ReleaseProvider> — downstream tools never
import octocrab or gitlab directly. See
rtb-vcs.
Airgapped updates¶
Updater::run_from_file verifies and swaps from a locally-staged
archive, for environments with no network path to the release host.
The same signature + checksum verification applies.
Dry run¶
Set RunOptions { dry_run: true, .. } to verify and stage the new
binary into the cache dir without swapping — useful for validating a
release pipeline end to end.