433e375def
Phase 2 security audit follow-up. Three independent hardenings against the unauthenticated daemon surface, the long-lived agent SSE stream and the self-update channel. UPnP is now opt-in. The stream port + /hls endpoints have no auth, so publishing them on the WAN via the gateway was a default that exposed active downloads to anyone scanning the operator's external IP. New config downloads.enable_upnp (default false) gates the mapping; LAN and Tailscale clients continue to work unchanged. A startup log makes the new default visible. The agent SSE reader now uses a bounded bufio.Scanner instead of an unbounded ReadString. A hostile or buggy server can no longer grow daemon memory by streaming a single line forever or by emitting unbounded data: continuation lines — both are capped at 256 KiB and 1 MiB respectively, and an error is surfaced so SignalLoop reconnects. Self-update now verifies an ed25519 signature over checksums.txt when the binary was built with a release public key embedded (injected via goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion scripts/sign-checksums runs in the release workflow when both the public-key variable and the private-key secret are present, uploading checksums.txt.sig next to the existing checksums file. Builds without the embedded key continue to update with SHA256-only verification; a --allow-unsigned flag is provided so users on a signed build can still install pre-signing releases or recover from an accidental unsigned release. A new scripts/gen-release-key helper documents the one-time keypair generation procedure required before flipping signing on.
74 lines
2.1 KiB
YAML
74 lines
2.1 KiB
YAML
version: 2
|
|
|
|
project_name: unarr
|
|
|
|
# Pre-build hook: fetch static ffmpeg + ffprobe per platform so each
|
|
# release tarball ships them adjacent to the unarr binary. ResolveFFmpeg /
|
|
# ResolveFFprobe pick them up via the "adjacent to executable" branch — no
|
|
# system install or runtime download needed.
|
|
before:
|
|
hooks:
|
|
- bash scripts/download-ffmpeg-static.sh
|
|
|
|
builds:
|
|
- main: ./cmd/unarr/
|
|
binary: unarr
|
|
env:
|
|
- CGO_ENABLED=0
|
|
goos:
|
|
- linux
|
|
- darwin
|
|
- windows
|
|
goarch:
|
|
- amd64
|
|
- arm64
|
|
ldflags:
|
|
- -s -w
|
|
- -X github.com/torrentclaw/unarr/internal/cmd.Version={{.Version}}
|
|
- -X github.com/torrentclaw/unarr/internal/sentry.dsn={{ .Env.SENTRY_DSN }}
|
|
# Release-signing public key — verified by the self-updater against
|
|
# checksums.txt.sig. Empty when not configured; in that case
|
|
# signature verification is skipped and a warning is logged.
|
|
- -X github.com/torrentclaw/unarr/internal/upgrade.releasePubKeyBase64={{ .Env.RELEASE_SIGNING_PUBKEY }}
|
|
|
|
archives:
|
|
- formats: [tar.gz]
|
|
name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
|
|
format_overrides:
|
|
- goos: windows
|
|
formats: [zip]
|
|
files:
|
|
- LICENSE*
|
|
- README*
|
|
# Bundle the matching ffmpeg + ffprobe (filename includes .exe on Windows
|
|
# because download-ffmpeg-static.sh writes ffmpeg.exe / ffprobe.exe there).
|
|
- src: "dist-ffbinaries/{{ .Os }}-{{ .Arch }}/*"
|
|
dst: .
|
|
strip_parent: true
|
|
info:
|
|
mode: 0o755
|
|
|
|
checksum:
|
|
name_template: "checksums.txt"
|
|
|
|
changelog:
|
|
sort: asc
|
|
filters:
|
|
exclude:
|
|
- "^docs:"
|
|
- "^test:"
|
|
- "^chore:"
|
|
|
|
# Homebrew tap — requires PAT with repo scope (not GITHUB_TOKEN)
|
|
# Enable when torrentclaw/homebrew-tap PAT is configured as HOMEBREW_TAP_TOKEN
|
|
# brews:
|
|
# - repository:
|
|
# owner: torrentclaw
|
|
# name: homebrew-tap
|
|
# token: "{{ .Env.HOMEBREW_TAP_TOKEN }}"
|
|
# name: unarr
|
|
# homepage: https://github.com/torrentclaw/unarr
|
|
# description: "unarr — replaces the entire *arr stack"
|
|
# license: MIT
|
|
# install: |
|
|
# bin.install "unarr"
|