TL;DR: A self-updating CLI downloads a new copy of itself and then overwrites the running binary with it. go-tool-base’s update command did that over HTTPS but never checked what it actually received. Now it verifies the download’s SHA-256 against the GoReleaser-produced checksums.txt from the same release before installing. It fails open by default for backwards compatibility, fails closed when the tool author asks for it, and it’s honest about the one threat a same-origin checksum can’t cover.
The most trusting line of code in the tool
Self-update is a lovely feature. The user runs yourtool update, the tool fetches the latest release, swaps itself out, and they’re current. go-tool-base has had this since early on, wired to GitHub, GitLab, Bitbucket, Gitea and a few others.
But look closely at what that feature actually does. It reaches out to the internet, pulls down a file, and then replaces the executable that is currently running with that file. The next time the user invokes the tool, they are running whatever those bytes turned out to be.
The original implementation downloaded the release asset over HTTPS and extracted it. HTTPS gets you transport security: the bytes weren’t tampered with in flight. It tells you nothing about whether the bytes were right when they left, or whether they’re the bytes you meant to fetch. A truncated download, a CDN cache serving a mangled object, a release asset that was swapped after the fact — HTTPS waves all of those straight through. For the one operation in the whole tool that replaces the binary, “we didn’t check” is an uncomfortable place to be.
GoReleaser already does half the job
The good news is that the build side was already producing what I needed. GoReleaser, which builds go-tool-base’s releases, generates a checksums.txt for every release: one SHA-256 per published artefact, the same format sha256sum emits. It’s sitting right there as a release asset and nothing was reading it.
So Phase 1 of the integrity work is exactly that: read it.
When update downloads the platform binary, it now also fetches checksums.txt from the same release, looks up the entry for the asset it just pulled, and compares the SHA-256 of the downloaded bytes against the expected hash before anything gets extracted or installed. Mismatch, and the update aborts before it has touched the installed binary. The hash comparison runs in constant time, which is more defence-in-depth than strictly necessary here, but it costs nothing and means every hash comparison in the codebase is the same and audit-boring.
Fail open, or fail closed?
The interesting design question wasn’t the hashing. It was: what do you do when there is no checksums.txt?
Plenty of older releases predate this feature. A release might have been cut by hand without GoReleaser. If go-tool-base flatly refused to update whenever a manifest was missing, the very act of shipping this feature would brick the update path for every existing tool the moment they upgraded into it. That’s a cure worse than the disease.
So the default is fail-open: no manifest, log a clear warning, proceed. It matches how the existing offline-update path already behaved with its optional .sha256 sidecar, and it keeps upgrades working.
Fail-open as a default is not the same as fail-open being right for everyone, though. A security-sensitive tool should be able to say “no manifest, no update, full stop.” Two ways to get there:
- Tool authors flip a compile-time switch —
setup.DefaultRequireChecksum = trueinmain()— and their binary ships fail-closed from day one. - End users override either way through config (
update.require_checksum) or an environment variable.
go-tool-base itself ships with the strict setting turned on, because a tool whose entire job is being a careful framework should hold itself to the stricter bar.
The honest caveat
Here’s the part I want to be straight about, because security features oversell themselves constantly.
A checksum hosted next to the binary it describes protects you from accidents. Corruption, truncation, a CDN serving stale junk, a release asset that got partially clobbered. It does not protect you from a determined attacker who has compromised the release platform itself. If someone can replace the binary, they can replace checksums.txt in the same breath, and your tool will cheerfully verify a malicious download against a malicious manifest and pronounce it good.
That’s not a flaw in the implementation. It’s the inherent ceiling of same-origin integrity: the manifest and the artefact share a trust root, so they fall together. Closing that gap needs a signature whose trust root is somewhere the release platform can’t reach — a key the attacker doesn’t have. That’s the next phase of this work, and it’s a bigger piece: GPG-signing the manifest, with the public half both embedded in the binary and published independently so a single platform compromise isn’t enough.
Phase 1 is the floor, not the ceiling. But it’s a floor worth having, because the overwhelming majority of real-world “the download was wrong” incidents are accidents, not attacks, and accidents are exactly what a same-origin checksum catches.
Pulling it together
The update command is the most trusting code in a self-updating tool: it fetches bytes from the internet and then becomes them. go-tool-base now verifies the SHA-256 of every self-update download against the release’s own checksums.txt before installing. It fails open by default so shipping the feature doesn’t strand anyone on an un-updatable version, fails closed for tool authors who ask (go-tool-base itself does), and stays honest that a same-origin checksum stops accidents, not a platform compromise.
Verifying your own downloads is a low bar. The point is that the previous height of that bar was zero.