Our build system caches files locally and only updates them when something
changes. Since I need to integrate some distsign stuff into the build system
to validate our Windows 7 MSIs, I want to be able to check the cached copy
of a package before downloading a fresh copy from pkgs.
If the signature changes, then obviously the local copy is outdated and we
return an error, at which point we call Download to refresh the package.
Updates https://github.com/tailscale/corp/issues/14334
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
Reimplement `downloadURLToFile` using `distsign.Download` and move all
of the progress reporting logic over there.
Updates #6995
Updates #755
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
To make key management less error-prone, use different PEM block types
for root and signing keys. As a result, separate out most of the Go code
between root/signing keys too.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This library is intended for use during release to sign packages which
are then served from pkgs.tailscale.com.
The library is also then used by clients downloading packages for
`tailscale update` where OS package managers / app stores aren't used.
Updates https://github.com/tailscale/tailscale/issues/8760
Updates https://github.com/tailscale/tailscale/issues/6995
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
