Go-self-update lacks support for checking integrity of downloaded files.
For more advanced situation it's necessary to validate the hash or
verify against public signatures. This patch adds support for
SHA2 hash and ECDSA PublicKey signature validation.
SHA2 uses file with suffix `.sha256`, whereas ECDSA uses
`.sig` file endings. See `selfupdate/validate_test.go` for examples.
Signed-off-by: Tobias Kohlbau <t.kohlbau@myopenfactory.com>
regex \d+\.\d+\.\d+ is tested for repository tags. But it's not
sufficient. For example, '0.1.2.3.4' is not adopting a semantic
versioning, but can pass the regex.
- positional fields are better because it raises an error when missing
field is detected
- unnamed return value is better because it introduces simpler control
sequence. Previously I used it because rel.Version is added after
and the parse may cause an error. But now it is parsed more earlier
and not required in DetectLatest().