lib/upgrade: Auto upgrade signature should cover version & arch (fixes #3044)

New signature is the HMAC of archive name (which includes the release version and architecture) plus the contents of the binary. This is expected in a new file "release.sig" which may be present in a subdirectory. The new release tools put this in [.]metadata/release.sig. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3043
2016-05-06 13:30:35 +00:00
parent 2ebc6996a2
commit d6a7ffe0d4
3 changed files with 40 additions and 21 deletions
--- a/lib/upgrade/upgrade_common.go
+++ b/lib/upgrade/upgrade_common.go
@@ -10,6 +10,7 @@ package upgrade
 import (
 	"errors"
 	"fmt"
+	"path"
 	"runtime"
 	"strconv"
 	"strings"
@@ -63,12 +64,12 @@ func To(rel Release) error {
 func ToURL(url string) error {
 	select {
 	case <-upgradeUnlocked:
-		path, err := osext.Executable()
+		binary, err := osext.Executable()
 		if err != nil {
 			upgradeUnlocked <- true
 			return err
 		}
-		err = upgradeToURL(path, url)
+		err = upgradeToURL(path.Base(url), binary, url)
 		// If we've failed to upgrade, unlock so that another attempt could be made
 		if err != nil {
 			upgradeUnlocked <- true
@@ -219,6 +220,10 @@ func versionParts(v string) ([]int, []interface{}) {
 }

 func releaseName(tag string) string {
+	// We must ensure that the release asset matches the expected naming
+	// standard, containing both the architecture/OS and the tag name we
+	// expect. This protects against malformed release data potentially
+	// tricking us into doing a downgrade.
 	switch runtime.GOOS {
 	case "darwin":
 		return fmt.Sprintf("syncthing-macosx-%s-%s.", runtime.GOARCH, tag)