Skip to content
Zyper Docs Beta

Updates & versioning

Zyper AIO checks for updates on launch and exposes a manual Check Updates chip in the sidebar.

What an update is

A new build of zyper-aio.exe plus a manifest pointing at it, both hosted on the Cloudflare R2 bucket behind license.zyper.app.

The current release of record is v0.32 (track via the sidebar version chip).

How the check works

  1. App fetches releases/latest.json from R2 via the license worker.
  2. Compares the manifest’s version against the running binary’s baked-in main.Version.
  3. If newer, downloads the new binary and verifies it.

What gets verified

Two Ed25519 signatures, both verified against a hardcoded public key shipped inside the desktop binary:

  1. Binary signature — over the bytes of the new .exe.
  2. Manifest signature — over the canonical manifest JSON.

Verifying both prevents two distinct attacks:

  • A swapped binary in the bucket (binary sig catches this).
  • A swapped manifest pointing at an older binary (rollback attack — manifest sig catches this).

If either signature fails, the updater refuses to apply and logs the failure.

In-place upgrade

On a successful verify, the updater swaps the .exe in place using a Windows rename trick (move running binary to a .old name, write the new file, restart on exit). The user clicks Restart now and lands on the new build.

This means don’t put zyper-aio.exe on a read-only path or anywhere your user account can’t write to. A folder under Documents\ or C:\Zyper\ is ideal.

Manifest schema (for advanced users)

The manifest is a small JSON with:

{
  "version": "0.32",
  "binary": {
    "url": "https://license.zyper.app/v1/download/asset?name=zyper-aio.exe",
    "sha256": "...",
    "signature": "..."
  },
  "extension": {
    "url": "https://license.zyper.app/v1/download/asset?name=zyper-capture.zip",
    "sha256": "..."
  },
  "manifest_signature": "..."
}

Only the binary block and version field are included in the signed canonical bytes of the manifest (today). The extension URL is fetched opportunistically and verified by SHA-256 only.

What if the update fails?

  • Signature failed — file an issue, but you can keep using the current version safely. The app will not “fall through” to a downgrade.
  • Download timed out — retry from the sidebar chip. The updater is resumption-safe; it doesn’t leave half-written files.
  • Disk full / no write permission — fix the underlying issue, retry.