From b1791639231917a4b075c2834632811f2db9b3d7 Mon Sep 17 00:00:00 2001 From: rhysd Date: Sat, 10 Nov 2018 12:52:51 +0900 Subject: [PATCH] tweak README [skip ci] --- README.md | 30 +++++++++++++++++++++++------- selfupdate/validate.go | 2 +- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 0b4ec08..fa011d2 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ GitHub and replaces itself. - Many archive and compression formats are supported (zip, tar, gzip, xzip) - Support private repositories - Support [GitHub Enterprise][] -- Support hash, signature validation +- Support hash, signature validation (thanks to [@tobiaskohlbau](https://github.com/tobiaskohlbau)) And small wrapper CLIs are provided: @@ -41,6 +41,8 @@ And small wrapper CLIs are provided: [go-github-selfupdate]: https://github.com/rhysd/go-github-selfupdate [GitHub Releases API]: https://developer.github.com/v3/repos/releases/ + + ## Try Out Example Example to understand what this library does is prepared as [CLI](./cmd/selfupdate-example/main.go). @@ -81,6 +83,8 @@ Following tools are using this library. - [akashic](https://github.com/cowlick/akashic) - [butler](https://github.com/netzkern/butler) + + ## Usage ### Code Usage @@ -225,6 +229,7 @@ API does not work without authentication. If your GitHub Enterprise instance's upload URL is different from the base URL, please also set `EnterpriseUploadURL` field + ### Naming Rules of Released Binaries go-github-selfupdate assumes that released binaries are put for each combination of platforms and archs. @@ -299,6 +304,7 @@ In summary, structure of releases on GitHub looks like: Tags which don't contain a version number are ignored (i.e. `nightly`). And releases marked as `pre-release` are also ignored. + ### Hash or Signature Validation go-github-selfupdate supports hash or signature validatiom of the downloaded files. It comes @@ -317,7 +323,7 @@ type Validator interface { } ``` -## SHA256 +#### SHA256 To verify the integrity by SHA256 generate a hash sum and save it within a file which has the same naming as original file with the suffix `.sha256`. @@ -326,7 +332,7 @@ For e.g. use sha256sum, the file `selfupdate/testdata/foo.zip.sha256` is generat sha256sum foo.zip > foo.zip.sha256 ``` -## ECDSA +#### ECDSA To verify the signature by ECDSA generate a signature and save it within a file which has the same naming as original file with the suffix `.sig`. For e.g. use openssl, the file `selfupdate/testdata/foo.zip.sig` is generated with: @@ -337,9 +343,11 @@ openssl dgst -sha256 -sign Test.pem -out foo.zip.sig foo.zip go-github-selfupdate makes use of go internal crypto package. Therefore the used private key has to be compatbile with FIPS 186-3. -### Development -#### Running tests + +## Development + +### Running tests All library sources are put in `/selfupdate` directory. So you can run tests as following at the top of the repository: @@ -360,7 +368,8 @@ Above command run almost all tests and it's enough to check the behavior before Some tests are still not tested because they depend on my personal API access token, though; for repositories on GitHub Enterprise or private repositories on GitHub. -#### Debugging + +### Debugging This library can output logs for debugging. By default, logger is disabled. You can enable the logger by following and can know the details of the self update. @@ -369,12 +378,15 @@ You can enable the logger by following and can know the details of the self upda selfupdate.EnableLog() ``` -#### CI + +### CI Tests run on CIs (Travis CI, Appveyor) are run with the token I generated. However, because of security reason, it is not used for the tests for pull requests. In the tests, a GitHub API token is not set and API rate limit is often exceeding. So please ignore the test failures on creating a pull request. + + ## Dependencies This library utilizes @@ -396,6 +408,8 @@ This library utilizes [semver]: https://github.com/blang/semver [xz]: https://github.com/ulikunitz/xz + + ## What is different from [tj/go-update][]? This library goal is the same as tj/go-update, but it's different in following points. @@ -410,6 +424,8 @@ tj/go-update: [tj/go-update]: https://github.com/tj/go-update + + ## License Distributed under the [MIT License](LICENSE) diff --git a/selfupdate/validate.go b/selfupdate/validate.go index 7d8a63f..10066aa 100644 --- a/selfupdate/validate.go +++ b/selfupdate/validate.go @@ -46,7 +46,7 @@ type ECDSAValidator struct { } // Validate validates the ECDSA signature the release against the signature -// contained in an addtional asset file. +// contained in an additional asset file. // additional asset file. func (v *ECDSAValidator) Validate(input, signature []byte) error { h := sha256.New()