Expand description
Auto-upgrade system with ML-DSA signature verification.
This module handles:
- Polling GitHub releases for new versions
- Verifying ML-DSA-65 signatures on binaries
- Replacing the running binary with rollback support
- Staged rollout to prevent mass network restarts
- Auto-apply: download, extract, verify, replace, restart
Structs§
- Asset
- GitHub release asset (attached file).
- Auto
Apply Upgrader - Auto-apply upgrader with archive support.
- Binary
Cache - On-disk cache for downloaded upgrade binaries.
- GitHub
Release - GitHub release API response.
- Release
Cache - On-disk cache for GitHub release metadata.
- Staged
Rollout - Staged rollout configuration and delay calculation.
- Upgrade
Info - Information about an available upgrade.
- Upgrade
Monitor - Monitors GitHub releases for new versions.
- Upgrader
- Upgrade orchestrator with rollback support.
Enums§
- Upgrade
Result - Result of an upgrade operation.
Constants§
- PUBLIC_
KEY_ SIZE - ML-DSA-65 public key size in bytes.
- RESTART_
EXIT_ CODE - Exit code that signals the service manager to restart the process.
- SIGNATURE_
SIZE - ML-DSA-65 signature size in bytes.
- SIGNING_
CONTEXT - Signing context for domain separation (prevents cross-protocol attacks).
Functions§
- find_
platform_ asset - Find the appropriate binary asset for the current platform.
- perform_
upgrade - Legacy function for backward compatibility.
- upgrade_
cache_ dir - Return the shared upgrade cache directory, creating it on demand.
- verify_
binary_ signature - Verify the ML-DSA signature on a binary file using the embedded release key.
- verify_
binary_ signature_ with_ key - Verify signature with an explicit public key.
- verify_
from_ file - Verify a signature from a detached .sig file.
- verify_
from_ file_ with_ key - Verify from file with explicit key.
- version_
from_ tag - Parse version from git tag.