pub struct BinaryCache { /* private fields */ }Expand description
On-disk cache for downloaded, signature-verified upgrade archives.
Implementations§
Source§impl BinaryCache
impl BinaryCache
Sourcepub fn new(cache_dir: PathBuf) -> Self
pub fn new(cache_dir: PathBuf) -> Self
Create a new binary cache backed by the given directory.
Production constructor: the cache verifies cached archives against the pinned release public key embedded in the binary.
Sourcepub fn cached_archive_path(&self, version: &str) -> PathBuf
pub fn cached_archive_path(&self, version: &str) -> PathBuf
Path of the cached archive for version.
Sourcepub fn get_verified_archive(
&self,
version: &str,
private_dir: &Path,
) -> Option<PathBuf>
pub fn get_verified_archive( &self, version: &str, private_dir: &Path, ) -> Option<PathBuf>
Copy the cached archive into the caller-private private_dir,
cryptographically re-verify that private copy, and return its
path — or None if there is no usable, trusted cache entry.
On every call this:
- loads the sibling metadata and checks the version matches,
- copies the cached archive + signature into
private_dir(a location only this process writes, e.g. the per-upgrade temp dir), - SHA-256 pre-checks the private copy against the metadata (fast corruption check), then
- re-verifies the ML-DSA-65 signature over the private copy with the pinned release key — the actual security gate.
Verifying the private copy (not the shared cache file) closes the TOCTOU window: an attacker with write access to the shared cache dir cannot swap the bytes between verification and extraction, because the caller extracts from the returned private path, which is the exact byte sequence that was verified and is unreachable to the attacker.
Any failure (missing/corrupt metadata, copy error, hash mismatch,
missing signature, or — critically — a signature that does not verify
against the pinned release key) returns None, forcing a fresh,
fully verified download.
The caller MUST extract the binary from the returned (private) archive path, so the executed bytes always derive from signature-verified input that no other principal could have modified post-verification.
private_dir is a load-bearing security invariant: it MUST be a
process-private, mode-0o700 directory that no other principal
can write to. The caller in apply.rs creates it via
tempfile::Builder::permissions(0o700).tempdir_in(binary_dir) —
any future caller MUST uphold the same invariant, otherwise the
reopens by path in sha256_file and verify_archive would re-
introduce a TOCTOU window.
Sourcepub fn store_archive(
&self,
version: &str,
archive_path: &Path,
signature_path: &Path,
) -> Result<()>
pub fn store_archive( &self, version: &str, archive_path: &Path, signature_path: &Path, ) -> Result<()>
Store a signature-verified archive in the cache.
Both files are persisted (via write-to-temp-then-rename so readers
never observe partial writes); the metadata file is written last so
get_verified_archive only succeeds
once every file is complete.
Defence in depth: this re-verifies the archive against its signature before caching, so a poisoned entry cannot be created through the supported path even if a caller forgot to verify first.
§Errors
Returns an error if the signature does not verify, the inputs cannot be read, or the cache files cannot be written.
Sourcepub fn acquire_download_lock(&self) -> Result<DownloadLockGuard>
pub fn acquire_download_lock(&self) -> Result<DownloadLockGuard>
Acquire an exclusive download lock and return the guard.
This prevents multiple nodes from downloading the same archive concurrently — the first acquires the lock and downloads, the rest wait and then find the archive already cached.
The lock is released when the returned guard is dropped.
Note: lock_exclusive() blocks the calling thread. Callers in
async contexts should wrap this call in tokio::task::spawn_blocking.
§Errors
Returns an error if the lock file cannot be created or acquired.
Trait Implementations§
Source§impl Clone for BinaryCache
impl Clone for BinaryCache
Source§fn clone(&self) -> BinaryCache
fn clone(&self) -> BinaryCache
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreAuto Trait Implementations§
impl Freeze for BinaryCache
impl RefUnwindSafe for BinaryCache
impl Send for BinaryCache
impl Sync for BinaryCache
impl Unpin for BinaryCache
impl UnsafeUnpin for BinaryCache
impl UnwindSafe for BinaryCache
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more