banger

thaloco/banger

Fork 0

Commit graph

Author	SHA1	Message	Date
Thales Maciel	fae28e3d8b	update: docs + publish script for the self-update feature README gets a top-level Updating section; docs/privileges.md gains a step-by-step trust-model writeup of `banger update`. The new scripts/publish-banger-release.sh drives the manual release cut: build, tar, sha256sum, cosign sign-blob, verify against the embedded public key, jq-merge into manifest.json, rclone upload to the R2 bucket. Refuses outright if the embedded key is still the placeholder so we can't accidentally publish an unverifiable release. Also folds in gofmt drift accumulated across the updater package and a few sibling files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-29 12:43:46 -03:00
Thales Maciel	fb6d2b1dae	updater: manifest + SHA256SUMS parsing scaffolding First slice of the `banger update` package. No CLI yet — this just defines the wire shape and parsers the rest of the flow will plug into. * internal/updater/manifest.go — Manifest / Release types, ManifestSchemaVersion = 1, the hardcoded URL https://releases.thaloco.com/banger/manifest.json (var instead of const so tests can point at httptest), and FetchManifest / ParseManifest / Manifest.LookupRelease / Manifest.Latest. The manifest only references URLs (tarball, SHA256SUMS, optional signature); actual binary hashes come from SHA256SUMS itself, so manifest tampering can't substitute a hash for a known-good tarball. SchemaVersion gates forward-compat: a CLI that doesn't know its server's schema_version refuses to update rather than guessing. * internal/updater/sha256sums.go — ParseSHA256Sums tolerates both GNU `<digest> <file>` (with optional `*` binary prefix) and BSD `SHA256 (file) = <digest>` formats. Comments and blank lines are skipped; malformed lines that LOOK like entries are rejected (silent skipping is the wrong failure mode for a security-relevant input). Digests are lowercased so the caller can `==`-compare without worrying about case. Caps: 1 MiB on the manifest body, 16 KiB on SHA256SUMS, 256 MiB on release tarballs. Generous-but-bounded; bumping requires a code change so a server-side mistake can't fill the disk. Tests: ParseManifest happy path, schema-version-too-new rejection, five malformed-input cases. ParseSHA256Sums covers GNU + BSD + star-prefix + comments-and-blanks, six malformed-input rejections, case-insensitive digest normalisation. FetchManifest end-to-end via httptest. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-29 12:24:36 -03:00

Author

SHA1

Message

Date

Thales Maciel

fae28e3d8b

update: docs + publish script for the self-update feature

README gets a top-level Updating section; docs/privileges.md gains
a step-by-step trust-model writeup of `banger update`. The new
scripts/publish-banger-release.sh drives the manual release cut:
build, tar, sha256sum, cosign sign-blob, verify against the embedded
public key, jq-merge into manifest.json, rclone upload to the R2
bucket. Refuses outright if the embedded key is still the placeholder
so we can't accidentally publish an unverifiable release. Also folds
in gofmt drift accumulated across the updater package and a few
sibling files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-29 12:43:46 -03:00

Thales Maciel

fb6d2b1dae

updater: manifest + SHA256SUMS parsing scaffolding

First slice of the `banger update` package. No CLI yet — this just
defines the wire shape and parsers the rest of the flow will plug
into.

  * internal/updater/manifest.go — Manifest / Release types,
    ManifestSchemaVersion = 1, the hardcoded URL
    https://releases.thaloco.com/banger/manifest.json (var instead
    of const so tests can point at httptest), and FetchManifest /
    ParseManifest / Manifest.LookupRelease / Manifest.Latest.
    The manifest only references URLs (tarball, SHA256SUMS, optional
    signature); actual binary hashes come from SHA256SUMS itself,
    so manifest tampering can't substitute a hash for a known-good
    tarball.
    SchemaVersion gates forward-compat: a CLI that doesn't know its
    server's schema_version refuses to update rather than guessing.
  * internal/updater/sha256sums.go — ParseSHA256Sums tolerates both
    GNU `<digest>  <file>` (with optional `*` binary prefix) and
    BSD `SHA256 (file) = <digest>` formats. Comments and blank
    lines are skipped; malformed lines that LOOK like entries are
    rejected (silent skipping is the wrong failure mode for a
    security-relevant input). Digests are lowercased so the caller
    can `==`-compare without worrying about case.

Caps: 1 MiB on the manifest body, 16 KiB on SHA256SUMS, 256 MiB on
release tarballs. Generous-but-bounded; bumping requires a code
change so a server-side mistake can't fill the disk.

Tests: ParseManifest happy path, schema-version-too-new rejection,
five malformed-input cases. ParseSHA256Sums covers GNU + BSD +
star-prefix + comments-and-blanks, six malformed-input rejections,
case-insensitive digest normalisation. FetchManifest end-to-end via
httptest.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-29 12:24:36 -03:00

2 commits