Add support for CLI update command

[aliask]

As requested by Phiz in #268, I have added support for a rocketpool update cli command which will:

• check what the latest version is via the Github API
• compare with local version, and download it if it's newer
• verify the PGP signature of the downloaded binary
• replace existing client if all the above goes well

There are some assumptions regarding the filenames in the release but these appear to be reasonably widely referenced already.

Optional flags included for this command:

• --force will attempt to update, even if Github version is same/older
• --skip-signature-verification will prevent any checks against the PGP signature
• --yes will automatically confirm the update

[angaz]

This is an awesome feature! I hope it gets merged soon.

[angaz]

os.Rename should replace the original file according to the docs: https://pkg.go.dev/os#Rename

So the os.Remove isn't needed.

[aliask]

Hi @SN9NV . I based this behaviour on this Stackoverflow question, but I just tested and it does appear to work without the unlink first.

[angaz]

When replacing the binary, the key is the the inode is different to the original executable. We have a new file created during the download process. So this is pretty safe. If we were using something else like truncate/copy, then we might still have the original inode, which can be problematic for the OS to deal with.

[angaz]

Please add some error context.

[angaz]

Please add some error context.

[angaz]

Please add some error context.

[angaz]

Please add some error context.

[angaz]

I see a few main sections to this function. I think it would be easier to see the main steps if they are split into their own functions. It would also help add context to the errors. I see the same error message repeated/similar to another one. What do you think?

[aliask]

Yes, I think that's a fair comment. I've split out the initial version check, and the download/verify sections into their own functions, and I think updateCLI is pretty readable now :)

[angaz]

Seems great. I tested the various flags and it seems to be working as expected.

There's just these two issues from golangci-lint:

update/update.go:135:14: Error return value of `output.Seek` is not checked (errcheck)
                output.Seek(0, io.SeekStart)
                           ^
update/update.go:16:2: SA1019: "golang.org/x/crypto/openpgp" is deprecated: this package is unmaintained except for security fixes. New applications should consider a more focused, modern alternative to OpenPGP for their specific task. If you are required to interoperate with OpenPGP systems and need a maintained package, consider a community fork. See https://golang.org/issue/44226. (staticcheck)
        "golang.org/x/crypto/openpgp"
        ^

Not critical things, but I think probably good to have a look at.

[aliask]

I've added a check for the Seek(), but the openpgp deprecation is a tricky one.
I couldn't find any third party libraries offering a drop-in functionality, but I'm not sure it's really that critical:

• Despite being officially deprecated, it appears to still be being updated - the last release was only a couple of weeks ago
• Other major projects are still depending on it, including geth

[angaz]

I've added a check for the Seek(), but the openpgp deprecation is a tricky one. I couldn't find any third party libraries offering a drop-in functionality, but I'm not sure it's really that critical:

* Despite being _officially_ deprecated, it appears to still be being updated - the last release was only a couple of weeks ago

* Other major projects are still depending on it, including [geth](https://github.com/ethereum/go-ethereum/blob/master/.golangci.yml#L53)

Looks good. Yeah I think it will be fine and we can replace the library if there's any CVEs. I'm pretty sure it will be perfectly fine.

[angaz]

I rate it's good to go. 🚀