Ricochet-Refresh users have to manually check for new updates, as the deployed application has no mechanism for checking for upstream changes. If we deploy a critical bug fix, users have no way of automatically finding out.
Requirements:
poll-based updating
we don't want to push updates down to users, we don't want any kind of list of our users
anonymous version check/comparison
we don't want to be able to selectively notify users of updates; every update request should be the same to us
anonymous package download
we don't want to be able to apply targeted update packages
must offer the correct package (e.g. deb for deb installs, zip for portable windows, appimage, etc)
a way to signal to the user if the update is security-critical and urgent, vs just a feature update
an update will necessarily require restarting the application, so being able to signal hey update is here but it's just non-critical stuff will make users less annoyed
un-forgeable update payloads
need to cryptographicly sign the update responses (i.e. data telling user about update packages) and the packages themselves
don't want it to be possible to deploy malicious updates if our infra is compromised
signing keys need to able to be rotated, expire
Prior Art:
Tor Browser basically does all of these things, but there's not much that can be-reused since it is very tied with the Mozilla/browser platform of Firefox
Need to look into exactly how mar files are signed, the signing key is managed, how key expiration works, etc
We will likely have to implement this in phases:
update check
notify user, hey go upgrade
package download
download appropriate full installation package to user-specified location
Ricochet-Refresh users have to manually check for new updates, as the deployed application has no mechanism for checking for upstream changes. If we deploy a critical bug fix, users have no way of automatically finding out.
Requirements:
Prior Art:
We will likely have to implement this in phases:
Design: