Implement Automatic Update Check, Download, and Installation

[morganava]

Ricochet-Refresh users have to manually check for new updates, as the deployed application has no mechanism for checking for upstream changes. If we deploy a critical bug fix, users have no way of automatically finding out.

Requirements:

• poll-based updating
  • we don't want to push updates down to users, we don't want any kind of list of our users
• anonymous version check/comparison
  • we don't want to be able to selectively notify users of updates; every update request should be the same to us
• anonymous package download
  • we don't want to be able to apply targeted update packages
  • must offer the correct package (e.g. deb for deb installs, zip for portable windows, appimage, etc)
• a way to signal to the user if the update is security-critical and urgent, vs just a feature update
  • an update will necessarily require restarting the application, so being able to signal hey update is here but it's just non-critical stuff will make users less annoyed
• un-forgeable update payloads
  • need to cryptographicly sign the update responses (i.e. data telling user about update packages) and the packages themselves
  • don't want it to be possible to deploy malicious updates if our infra is compromised
  • signing keys need to able to be rotated, expire

Prior Art:

• Tor Browser basically does all of these things, but there's not much that can be-reused since it is very tied with the Mozilla/browser platform of Firefox
  • Need to look into exactly how mar files are signed, the signing key is managed, how key expiration works, etc

We will likely have to implement this in phases:

• update check
  • notify user, hey go upgrade
• package download
  • download appropriate full installation package to user-specified location
• build-to-build update download+apply
  • download binary diff, kill app, update app, re-launch app

Design:

• update responses and packages hosted on an onion-service HTTP server
• update responses: json files containing info about the latest version:
  • OS min version requirements
  • URLs of available update files
  • type of update flie (i.e. package type)
• update responses+packages signed with secret key, public key packaged in deployed releases
  • file signatures must be verified before using
• update checks:
  • on launch and then after a certain time period (~1 day) download the current update responses
  • download appropriate build-to-build upgrade file, or signal package availability to user (e.g. offer to download new installer.exe)
    • determined by user's system, and the downloaded update responses
• updater (for build-to-build upgrades)
  • downloads signed binary patch
  • verify patch's signature
  • launch updater binary
  • kill app
  • updater applies patch
  • re-start app