selfupdate

package module
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 15, 2020 License: MIT Imports: 27 Imported by: 55

README

Self-Update library for GitHub hosted applications in Go

Godoc reference Build Status codecov

go-selfupdate detects the information of the latest release via GitHub Releases API and checks the current version. If a newer version than itself is detected, it downloads the released binary from GitHub and replaces itself.

  • Automatically detect the latest version of released binary on GitHub
  • Retrieve the proper binary for the OS and arch where the binary is running
  • Update the binary with rollback support on failure
  • Tested on Linux, macOS and Windows
  • Many archive and compression formats are supported (zip, tar, gzip, xzip, bzip2)
  • Support private repositories
  • Support hash, signature validation

This library started as a fork of https://github.com/rhysd/go-github-selfupdate. A few things have changed from the original implementation:

  • don't expose an external semver.Version type, but provide the same functionality through the API: LessThan, Equal and GreaterThan
  • use an interface to send logs (compatible with standard log.Logger)
  • able to detect different ARM CPU architectures (the original library wasn't working on my different versions of raspberry pi)
  • support for assets compressed with bzip2 (.bz2)
  • can use a single file containing the sha256 checksums for all the files (one per line)
Example

Here's an example how to use the library for an application to update itself

func update(version string) error {
	latest, found, err := selfupdate.DetectLatest("creativeprojects/resticprofile")
	if err != nil {
		return fmt.Errorf("error occurred while detecting version: %v", err)
	}
	if !found {
		return fmt.Errorf("latest version for %s/%s could not be found from github repository", runtime.GOOS, runtime.GOARCH)
	}

	if latest.LessOrEqual(version) {
		log.Printf("Current version (%s) is the latest", version)
		return nil
	}

	exe, err := os.Executable()
	if err != nil {
		return errors.New("could not locate executable path")
	}
	if err := selfupdate.UpdateTo(latest.AssetURL, exe); err != nil {
		return fmt.Errorf("error occurred while updating binary: %v", err)
	}
	log.Printf("Successfully updated to version %s", latest.Version())
	return nil
}
Important note

The API can change anytime until it reaches version 1.0. It is unlikely it will change drastically though, but it can.

Naming Rules of Released Binaries

go-selfupdate assumes that released binaries are put for each combination of platforms and architectures. Binaries for each platform can be easily built using tools like goreleaser

You need to put the binaries with the following format.

{cmd}_{goos}_{goarch}{.ext}

{cmd} is a name of command. {goos} and {goarch} are the platform and the arch type of the binary. {.ext} is a file extension. go-selfupdate supports .zip, .gzip, .bz2, .tar.gz and .tar.xz. You can also use blank and it means binary is not compressed.

If you compress binary, uncompressed directory or file must contain the executable named {cmd}.

And you can also use - for separator instead of _ if you like.

For example, if your command name is foo-bar, one of followings is expected to be put in release page on GitHub as binary for platform linux and arch amd64.

  • foo-bar_linux_amd64 (executable)
  • foo-bar_linux_amd64.zip (zip file)
  • foo-bar_linux_amd64.tar.gz (tar file)
  • foo-bar_linux_amd64.xz (xzip file)
  • foo-bar-linux-amd64.tar.gz (- is also ok for separator)

If you compress and/or archive your release asset, it must contain an executable named one of followings:

  • foo-bar (only command name)
  • foo-bar_linux_amd64 (full name)
  • foo-bar-linux-amd64 (- is also ok for separator)

To archive the executable directly on Windows, .exe can be added before file extension like foo-bar_windows_amd64.exe.zip.

Naming Rules of Versions (=Git Tags)

go-selfupdate searches binaries' versions via Git tag names (not a release title). When your tool's version is 1.2.3, you should use the version number for tag of the Git repository (i.e. 1.2.3 or v1.2.3).

This library assumes you adopt semantic versioning. It is necessary for comparing versions systematically.

Prefix before version number \d+\.\d+\.\d+ is automatically omitted. For example, ver1.2.3 or release-1.2.3 are also ok.

Tags which don't contain a version number are ignored (i.e. nightly). And releases marked as pre-release are also ignored.

Structure of Releases

In summary, structure of releases on GitHub looks like:

  • v1.2.0
    • foo-bar-linux-amd64.tar.gz
    • foo-bar-linux-386.tar.gz
    • foo-bar-darwin-amd64.tar.gz
    • foo-bar-windows-amd64.zip
    • ... (Other binaries for v1.2.0)
  • v1.1.3
    • foo-bar-linux-amd64.tar.gz
    • foo-bar-linux-386.tar.gz
    • foo-bar-darwin-amd64.tar.gz
    • foo-bar-windows-amd64.zip
    • ... (Other binaries for v1.1.3)
  • ... (older versions)
Special case for ARM architecture

If you're using goreleaser targeting ARM CPUs, it will use the version of the ARM architecture as a name:

  • armv5
  • armv6
  • armv7

go-selfupdate will check which architecture was used to build the current binary. Please note it's not detecting the hardware, but the binary target instead. If you run an armv6 binary on an armv7 CPU, it will keep armv6 as a target.

As a rule, it will search for a binary with the same architecture first, then try the architectures below if available, and as a last resort will try a simple arm architecture tag.

So if you're running a armv6 binary, it will try these targets in order:

  • armv6
  • armv5
  • arm

More information on targeting ARM cpu can be found here: GoArm

Hash or Signature Validation

go-selfupdate supports hash or signature validation of the downloaded files. It comes with support for sha256 hashes or ECDSA signatures. In addition to internal functions the user can implement the Validator interface for own validation mechanisms.

// Validator represents an interface which enables additional validation of releases.
type Validator interface {
	// Validate validates release bytes against an additional asset bytes.
	// See SHAValidator or ECDSAValidator for more information.
	Validate(release, asset []byte) error
	// Suffix describes the additional file ending which is used for finding the
	// additional asset.
	Suffix() string
}
SHA256

To verify the integrity by SHA256 generate a hash sum and save it within a file which has the same naming as original file with the suffix .sha256. For e.g. use sha256sum, the file selfupdate/testdata/foo.zip.sha256 is generated with:

sha256sum foo.zip > foo.zip.sha256
ECDSA

To verify the signature by ECDSA generate a signature and save it within a file which has the same naming as original file with the suffix .sig. For e.g. use openssl, the file selfupdate/testdata/foo.zip.sig is generated with:

openssl dgst -sha256 -sign Test.pem -out foo.zip.sig foo.zip

go-selfupdate makes use of go internal crypto package. Therefore the used private key has to be compatible with FIPS 186-3.

This work is based on:

Documentation

Overview

go-selfupdate detects the information of the latest release via GitHub Releases API and checks the current version. If newer version than itself is detected, it downloads released binary from GitHub and replaces itself.

- Automatically detects the latest version of released binary on GitHub

- Retrieve the proper binary for the OS and arch where the binary is running

- Update the binary with rollback support on failure

- Tested on Linux, macOS and Windows

- Many archive and compression formats are supported (zip, gzip, xzip, bzip2, tar)

There are some naming rules. Please read following links.

Naming Rules of Released Binaries: 

https://github.com/creativeprojects/go-selfupdate#naming-rules-of-released-binaries

Naming Rules of Git Tags: 

https://github.com/creativeprojects/go-selfupdate#naming-rules-of-versions-git-tags

This package is hosted on GitHub: 

https://github.com/creativeprojects/go-selfupdate

Small CLI tools as wrapper of this library are available also: 

https://github.com/creativeprojects/go-selfupdate/cmd/detect-latest-release
https://github.com/creativeprojects/go-selfupdate/cmd/go-get-release

Index

Examples

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidSlug              = errors.New("invalid slug format, expected 'owner/name'")
	ErrIncorrectParameterOwner  = errors.New("incorrect parameter \"owner\"")
	ErrIncorrectParameterRepo   = errors.New("incorrect parameter \"repo\"")
	ErrAssetNotFound            = errors.New("asset not found")
	ErrIncorrectChecksumFile    = errors.New("incorrect checksum file format")
	ErrChecksumValidationFailed = errors.New("sha256 validation failed")
	ErrHashNotFound             = errors.New("hash not found in checksum file")
	ErrECDSAValidationFailed    = errors.New("ECDSA signature verification failed")
	ErrInvalidECDSASignature    = errors.New("invalid ECDSA signature")
)

Possible errors returned

Functions

func DecompressCommand 

func DecompressCommand(src io.Reader, url, cmd, os, arch string) (io.Reader, error)

DecompressCommand decompresses the given source. Archive and compression format is automatically detected from 'url' parameter, which represents the URL of asset. This returns a reader for the decompressed command given by 'cmd'. '.zip', '.tar.gz', '.tar.xz', '.tgz', '.gz', '.bz2' and '.xz' are supported.

func SetLogger 

func SetLogger(logger Logger)

SetLogger redirects all logs to the logger defined in parameter. By default logs are not sent anywhere.

Example 
// you can plug-in any logger providing the 2 methods Print and Printf
// the default log.Logger satisfies the interface
logger := stdlog.New(os.Stdout, "selfupdate ", 0)
SetLogger(logger)

func UpdateTo 

func UpdateTo(assetURL, cmdPath string) error

UpdateTo downloads an executable from assetURL and replaces the current binary with the downloaded one. This function is low-level API to update the binary. Because it does not use GitHub API and downloads asset directly from the URL via HTTP, this function is not available to update a release for private repositories. cmdPath is a file path to command executable.

Types

type ChecksumValidator 

type ChecksumValidator struct {
	// UniqueFilename is the name of the global file containing all the checksums
	// Usually "checksums.txt", "SHA256SUMS", etc.
	UniqueFilename string
}

ChecksumValidator is a SHA256 checksum validator where all the validation hash are in a single file (one per line)

func (*ChecksumValidator) GetValidationAssetName 

func (v *ChecksumValidator) GetValidationAssetName(releaseFilename string) string

GetValidationAssetName returns the unique asset name for SHA256 validation.

func (*ChecksumValidator) Validate 

func (v *ChecksumValidator) Validate(filename string, release, asset []byte) error

Validate the SHA256 sum of the release against the contents of an additional asset file containing all the checksums (one file per line).

type Config 

type Config struct {
	// Source where to load the releases from (example: GitHubSource)
	Source Source
	// Validator represents types which enable additional validation of downloaded release.
	Validator Validator
	// Filters are regexp used to filter on specific assets for releases with multiple assets.
	// An asset is selected if it matches any of those, in addition to the regular tag, os, arch, extensions.
	// Please make sure that your filter(s) uniquely match an asset.
	Filters []string
	// OS is set to the value of runtime.GOOS by default, but you can force another value here
	OS string
	// Arch is set to the value of runtime.GOARCH by default, but you can force another value here
	Arch string
	// Arm 32bits version. Valid values are 0 (unknown), 5, 6 or 7. Default is detected value (if any)
	Arm uint8
	// Draft permits an upgrade to a "draft" version (default to false)
	Draft bool
	// Prerelease permits an upgrade to a "pre-release" version (default to false)
	Prerelease bool
}

Config represents the configuration of self-update.

type ECDSAValidator 

type ECDSAValidator struct {
	PublicKey *ecdsa.PublicKey
}

ECDSAValidator specifies a ECDSA validator for additional file validation before updating.

func (*ECDSAValidator) GetValidationAssetName 

func (v *ECDSAValidator) GetValidationAssetName(releaseFilename string) string

GetValidationAssetName returns the asset name for ECDSA validation.

func (*ECDSAValidator) Validate 

func (v *ECDSAValidator) Validate(filename string, input, signature []byte) error

Validate checks the ECDSA signature the release against the signature contained in an additional asset file.

type GitHubAsset 

type GitHubAsset struct {
	// contains filtered or unexported fields
}

func NewGitHubAsset 

func NewGitHubAsset(from *github.ReleaseAsset) *GitHubAsset

func (*GitHubAsset) GetBrowserDownloadURL 

func (a *GitHubAsset) GetBrowserDownloadURL() string

func (*GitHubAsset) GetID 

func (a *GitHubAsset) GetID() int64

func (*GitHubAsset) GetName 

func (a *GitHubAsset) GetName() string

func (*GitHubAsset) GetSize 

func (a *GitHubAsset) GetSize() int

type GitHubConfig 

type GitHubConfig struct {
	// APIToken represents GitHub API token. If it's not empty, it will be used for authentication of GitHub API
	APIToken string
	// EnterpriseBaseURL is a base URL of GitHub API. If you want to use this library with GitHub Enterprise,
	// please set "https://{your-organization-address}/api/v3/" to this field.
	EnterpriseBaseURL string
	// EnterpriseUploadURL is a URL to upload stuffs to GitHub Enterprise instance. This is often the same as an API base URL.
	// So if this field is not set and EnterpriseBaseURL is set, EnterpriseBaseURL is also set to this field.
	EnterpriseUploadURL string
	// Context used by the http client (default to context.Background)
	Context context.Context
}

GitHubConfig is an object to pass to NewGitHubSource

type GitHubRelease 

type GitHubRelease struct {
	// contains filtered or unexported fields
}

func NewGitHubRelease 

func NewGitHubRelease(from *github.RepositoryRelease) *GitHubRelease

func (*GitHubRelease) GetAssets 

func (r *GitHubRelease) GetAssets() []SourceAsset

func (*GitHubRelease) GetDraft 

func (r *GitHubRelease) GetDraft() bool

func (*GitHubRelease) GetName 

func (r *GitHubRelease) GetName() string

func (*GitHubRelease) GetPrerelease 

func (r *GitHubRelease) GetPrerelease() bool

func (*GitHubRelease) GetPublishedAt 

func (r *GitHubRelease) GetPublishedAt() time.Time

func (*GitHubRelease) GetReleaseNotes 

func (r *GitHubRelease) GetReleaseNotes() string

func (*GitHubRelease) GetTagName 

func (r *GitHubRelease) GetTagName() string

func (*GitHubRelease) GetURL 

func (r *GitHubRelease) GetURL() string

type GitHubSource 

type GitHubSource struct {
	// contains filtered or unexported fields
}

GitHubSource is used to load release information from GitHub

func NewGitHubSource 

func NewGitHubSource(config GitHubConfig) (*GitHubSource, error)

NewGitHubSource creates a new GitHubSource from a config object. It initializes a GitHub API client. If you set your API token to the $GITHUB_TOKEN environment variable, the client will use it. You can pass an empty GitHubSource{} to use the default configuration The function will return an error if the GitHub Entreprise URLs in the config object cannot be parsed

func (*GitHubSource) DownloadReleaseAsset 

func (s *GitHubSource) DownloadReleaseAsset(owner, repo string, id int64) (io.ReadCloser, error)

DownloadReleaseAsset downloads an asset from its ID. It returns an io.ReadCloser: it is your responsability to Close it.

func (*GitHubSource) ListReleases 

func (s *GitHubSource) ListReleases(owner, repo string) ([]SourceRelease, error)

ListReleases returns all available releases

type Logger 

type Logger interface {
	// Print calls Output to print to the standard logger. Arguments are handled in the manner of fmt.Print.
	Print(v ...interface{})
	// Printf calls Output to print to the standard logger. Arguments are handled in the manner of fmt.Printf.
	Printf(format string, v ...interface{})
}

Logger interface. Compatible with standard log.Logger

type Release 

type Release struct {
	// AssetURL is a URL to the uploaded file for the release
	AssetURL string
	// AssetSize represents the size of asset in bytes
	AssetByteSize int
	// AssetID is the ID of the asset on GitHub
	AssetID int64
	// AssetName is the filename of the asset
	AssetName string
	// ValidationAssetID is the ID of additional validaton asset on GitHub
	ValidationAssetID int64
	// URL is a URL to release page for browsing
	URL string
	// ReleaseNotes is a release notes of the release
	ReleaseNotes string
	// Name represents a name of the release
	Name string
	// PublishedAt is the time when the release was published
	PublishedAt time.Time
	// OS this release is for
	OS string
	// Arch this release is for
	Arch string
	// Arm 32bits version (if any). Valid values are 0 (unknown), 5, 6 or 7
	Arm uint8
	// contains filtered or unexported fields
}

Release represents a release asset for current OS and arch.

func DetectLatest 

func DetectLatest(slug string) (*Release, bool, error)

DetectLatest detects the latest release of the slug (owner/repo). This function is a shortcut version of updater.DetectLatest.

func DetectVersion 

func DetectVersion(slug string, version string) (*Release, bool, error)

DetectVersion detects the given release of the slug (owner/repo) from its version.

func UpdateCommand 

func UpdateCommand(cmdPath string, current string, slug string) (*Release, error)

UpdateCommand updates a given command binary to the latest version. This function is a shortcut version of updater.UpdateCommand.

func UpdateSelf 

func UpdateSelf(current string, slug string) (*Release, error)

UpdateSelf updates the running executable itself to the latest version. This function is a shortcut version of updater.UpdateSelf.

func (Release) Equal 

func (r Release) Equal(other string) bool

Equal tests if two versions are equal to each other.

func (Release) GreaterOrEqual 

func (r Release) GreaterOrEqual(other string) bool

GreaterOrEqual tests if one version is greater than or equal to another one.

func (Release) GreaterThan 

func (r Release) GreaterThan(other string) bool

GreaterThan tests if one version is greater than another one.

func (Release) LessOrEqual 

func (r Release) LessOrEqual(other string) bool

LessOrEqual tests if one version is less than or equal to another one.

func (Release) LessThan 

func (r Release) LessThan(other string) bool

LessThan tests if one version is less than another one.

func (Release) Version 

func (r Release) Version() string

Version is the version string of the release

type SHAValidator 

type SHAValidator struct {
}

SHAValidator specifies a SHA256 validator for additional file validation before updating.

func (*SHAValidator) GetValidationAssetName 

func (v *SHAValidator) GetValidationAssetName(releaseFilename string) string

GetValidationAssetName returns the asset name for SHA256 validation.

func (*SHAValidator) Validate 

func (v *SHAValidator) Validate(filename string, release, asset []byte) error

Validate checks the SHA256 sum of the release against the contents of an additional asset file.

type Source 

type Source interface {
	ListReleases(owner, repo string) ([]SourceRelease, error)
	DownloadReleaseAsset(owner, repo string, id int64) (io.ReadCloser, error)
}

Source interface to load the releases from (GitHubSource for example)

type SourceAsset 

type SourceAsset interface {
	GetID() int64
	GetName() string
	GetSize() int
	GetBrowserDownloadURL() string
}

type SourceRelease 

type SourceRelease interface {
	GetTagName() string
	GetDraft() bool
	GetPrerelease() bool
	GetPublishedAt() time.Time
	GetReleaseNotes() string
	GetName() string
	GetURL() string

	GetAssets() []SourceAsset
}

type Updater 

type Updater struct {
	// contains filtered or unexported fields
}

Updater is responsible for managing the context of self-update.

func DefaultUpdater 

func DefaultUpdater() *Updater

DefaultUpdater creates a new updater instance with default configuration. It initializes GitHub API client with default API base URL. If you set your API token to $GITHUB_TOKEN, the client will use it. Every call to this function will always return the same instance, it's only created once

func NewUpdater 

func NewUpdater(config Config) (*Updater, error)

NewUpdater creates a new updater instance. If you don't specify a source in the config object, GitHub will be used

func (*Updater) DetectLatest 

func (up *Updater) DetectLatest(slug string) (release *Release, found bool, err error)

DetectLatest tries to get the latest version of the repository on GitHub. 'slug' means 'owner/name' formatted string. It fetches releases information from GitHub API and find out the latest release with matching the tag names and asset names. Drafts and pre-releases are ignored. Assets would be suffixed by the OS name and the arch name such as 'foo_linux_amd64' where 'foo' is a command name. '-' can also be used as a separator. File can be compressed with zip, gzip, zxip, bzip2, tar&gzip or tar&zxip. So the asset can have a file extension for the corresponding compression format such as '.zip'. On Windows, '.exe' also can be contained such as 'foo_windows_amd64.exe.zip'.

func (*Updater) DetectVersion 

func (up *Updater) DetectVersion(slug string, version string) (release *Release, found bool, err error)

DetectVersion tries to get the given version of the repository on Github. `slug` means `owner/name` formatted string. And version indicates the required version.

func (*Updater) UpdateCommand 

func (up *Updater) UpdateCommand(cmdPath string, current string, slug string) (*Release, error)

UpdateCommand updates a given command binary to the latest version. 'slug' represents 'owner/name' repository on GitHub and 'current' means the current version.

func (*Updater) UpdateSelf 

func (up *Updater) UpdateSelf(current string, slug string) (*Release, error)

UpdateSelf updates the running executable itself to the latest version. 'slug' represents 'owner/name' repository on GitHub and 'current' means the current version.

func (*Updater) UpdateTo 

func (up *Updater) UpdateTo(rel *Release, cmdPath string) error

UpdateTo downloads an executable from GitHub Releases API and replace current binary with the downloaded one. It downloads a release asset via GitHub Releases API so this function is available for update releases on private repository.

type Validator 

type Validator interface {
	// Validate validates release bytes against an additional asset bytes.
	// See SHAValidator or ECDSAValidator for more information.
	Validate(filename string, release, asset []byte) error
	// GetValidationAssetName returns the additional asset name containing the validation checksum.
	// The asset containing the checksum can be based on the release asset name
	GetValidationAssetName(releaseFilename string) string
}

Validator represents an interface which enables additional validation of releases.

Source Files

View all Source files

Directories

Path Synopsis
cmd
detect-latest-release command
go-get-release command
Package update provides functionality to implement secure, self-updating Go programs (or other single-file targets).
 Package update provides functionality to implement secure, self-updating Go programs (or other single-file targets).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.