Crate nexo_ext_installer

Expand description

Decentralized GitHub Releases install — building block for nexo plugin install <owner>/<repo>@<tag>.

Architecture: there is NO central catalog. Each plugin author publishes their plugin as a GitHub Release on their own repo, following the asset naming convention documented in nexo-plugin-contract.md. The install CLI hits the GitHub Releases API directly to resolve a coords string into a verified tarball.

What this crate does:

Parse <owner>/<repo>@<tag> coords
Fetch the GitHub release JSON (or /releases/latest)
Parse the release into an nexo_ext_registry::ExtEntry using the asset naming convention
Download the tarball matching the daemon’s target
Stream-verify the sha256 (read from the .sha256 asset)

Cosign signature verification lives in verify, tarball extraction in extract; the CLI wires them together.

§References

Internal: crates/ext-registry/ — entry types.
GitHub Releases API: https://docs.github.com/en/rest/releases/releases#get-a-release-by-tag-name
Real-world: cargo binstall + gh extension install — per-repo binary install via GitHub Releases.

Re-exports§

pub use error::InstallError;
pub use extract::extract_verified_tarball;
pub use extract::ExtractInput;
pub use extract::ExtractLimits;
pub use extract::ExtractedPlugin;
pub use extract::MAX_ENTRIES;
pub use extract::MAX_ENTRY_BYTES;
pub use extract::MAX_EXTRACTED_BYTES;
pub use extract::MAX_TARBALL_BYTES;
pub use extract_contract::ExtractContract;
pub use extract_contract::PluginExtractContract;
pub use extract_error::ExtractError;
pub use trusted_keys::AuthorPolicy;
pub use trusted_keys::TrustMode;
pub use trusted_keys::TrustedKeysConfig;
pub use verify::discover_cosign_binary;
pub use verify::verify_plugin_signature;
pub use verify::VerifiedSignature;
pub use verify::VerifyInput;
pub use verify_error::VerifyError;

Modules§

error: Error variants returned by the installer.
extract: Extract a sha-verified plugin tarball into the daemon’s plugin discovery directory.
extract_contract: Parameterized extraction contract — lets the resolve+download pipeline serve any source-of-truth manifest, not just nexo-plugin.toml. The same crate powers both nexo plugin install and nexo persona install without two parallel copies of the GitHub Releases plumbing.
extract_error: Error variants returned by crate::extract::extract_verified_tarball.
trusted_keys: Operator-side trust policy loaded from <config_dir>/extensions/trusted_keys.toml.
verify: Pure-Rust signature verification for plugin tarballs.
verify_error: Error variants returned by the cosign signature verification pipeline.

Structs§

InstalledTarball: Successful install — verified tarball on disk.
RepoCoords: Parsed <owner>/<repo>@<tag> coordinates. tag defaults to latest when the user omits it.
ResolvedInstall: Successful resolution of a release into an installable entry. Carries enough info to call download_and_verify.
ResolvedReleaseTyped: Generic resolve result carrying the typed manifest produced by an ExtractContract. Contracts are free to attach any in-process meaning to manifest; the resolver only stores it. URL/size/signing fields are pre-resolved so the caller can call download_and_verify_url without re-querying the release JSON.

Constants§

DEFAULT_GITHUB_API_BASE: Default GitHub API base URL. Override via the NEXO_GITHUB_API_BASE env or in tests with a wiremock URL.

Functions§

current_target_triple: Detect the running daemon’s target triple. Override via NEXO_INSTALL_TARGET env.
download_and_verify: Download the resolved tarball, fetch the expected sha256 from its .sha256 sibling, stream-verify the downloaded bytes’ digest matches. Aborts and removes the partial file if the digest doesn’t match. Thin wrapper over download_and_verify_url.
download_and_verify_url: URL-based download+verify primitive. Fetches the expected sha256 from sha256_url, streams the tarball from tarball_url to dest_path, and rejects on mismatch (cleaning up the partial file). Returns the byte count.
install_plugin: One-shot helper: parse coords, fetch release, resolve, download, verify. Equivalent to chaining the lower-level functions but matches typical CLI usage.
resolve_release: Resolve a plugin’s release into a downloadable entry. Thin adapter over resolve_release_with_contract using PluginExtractContract; preserved for backward compat with all existing callers (src/plugin_install.rs, src/plugin_admin.rs).
resolve_release_with_contract: Resolve a release into a downloadable entry parameterized by an ExtractContract. The contract decides which manifest asset to fetch and how to parse it; everything else (semver from tag, tarball naming with <id>-<version>- <target>.tar.gz shape, noarch fallback, sha256 sibling lookup, cosign material) is shared across all contracts.

Type Aliases§

PluginCoordsDeprecated: Legacy alias preserved so existing callers (src/plugin_install.rs, src/plugin_admin.rs) keep compiling while downstream migrations land. Prefer RepoCoords in new code.