[client, management] auto-update (#4732)

2026-04-16 07:16:38 +00:00 · 2025-12-19 19:57:39 +01:00
parent 537151e0f3
commit 011cc81678
87 changed files with 9720 additions and 716 deletions
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -85,6 +85,9 @@ var (

 // Execute executes the root command.
 func Execute() error {
+	if isUpdateBinary() {
+		return updateCmd.Execute()
+	}
 	return rootCmd.Execute()
 }

--- a/client/cmd/signer/artifactkey.go
+++ b/client/cmd/signer/artifactkey.go
@@ -0,0 +1,176 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
+)
+
+var (
+	bundlePubKeysRootPrivKeyFile string
+	bundlePubKeysPubKeyFiles     []string
+	bundlePubKeysFile            string
+
+	createArtifactKeyRootPrivKeyFile string
+	createArtifactKeyPrivKeyFile     string
+	createArtifactKeyPubKeyFile      string
+	createArtifactKeyExpiration      time.Duration
+)
+
+var createArtifactKeyCmd = &cobra.Command{
+	Use:   "create-artifact-key",
+	Short: "Create a new artifact signing key",
+	Long: `Generate a new artifact signing key pair signed by the root private key.
+The artifact key will be used to sign software artifacts/updates.`,
+	SilenceUsage: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if createArtifactKeyExpiration <= 0 {
+			return fmt.Errorf("--expiration must be a positive duration (e.g., 720h, 365d, 8760h)")
+		}
+
+		if err := handleCreateArtifactKey(cmd, createArtifactKeyRootPrivKeyFile, createArtifactKeyPrivKeyFile, createArtifactKeyPubKeyFile, createArtifactKeyExpiration); err != nil {
+			return fmt.Errorf("failed to create artifact key: %w", err)
+		}
+		return nil
+	},
+}
+
+var bundlePubKeysCmd = &cobra.Command{
+	Use:   "bundle-pub-keys",
+	Short: "Bundle multiple artifact public keys into a signed package",
+	Long: `Bundle one or more artifact public keys into a signed package using the root private key.
+This command is typically used to distribute or authorize a set of valid artifact signing keys.`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if len(bundlePubKeysPubKeyFiles) == 0 {
+			return fmt.Errorf("at least one --artifact-pub-key-file must be provided")
+		}
+
+		if err := handleBundlePubKeys(cmd, bundlePubKeysRootPrivKeyFile, bundlePubKeysPubKeyFiles, bundlePubKeysFile); err != nil {
+			return fmt.Errorf("failed to bundle public keys: %w", err)
+		}
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(createArtifactKeyCmd)
+
+	createArtifactKeyCmd.Flags().StringVar(&createArtifactKeyRootPrivKeyFile, "root-private-key-file", "", "Path to the root private key file used to sign the artifact key")
+	createArtifactKeyCmd.Flags().StringVar(&createArtifactKeyPrivKeyFile, "artifact-priv-key-file", "", "Path where the artifact private key will be saved")
+	createArtifactKeyCmd.Flags().StringVar(&createArtifactKeyPubKeyFile, "artifact-pub-key-file", "", "Path where the artifact public key will be saved")
+	createArtifactKeyCmd.Flags().DurationVar(&createArtifactKeyExpiration, "expiration", 0, "Expiration duration for the artifact key (e.g., 720h, 365d, 8760h)")
+
+	if err := createArtifactKeyCmd.MarkFlagRequired("root-private-key-file"); err != nil {
+		panic(fmt.Errorf("mark root-private-key-file as required: %w", err))
+	}
+	if err := createArtifactKeyCmd.MarkFlagRequired("artifact-priv-key-file"); err != nil {
+		panic(fmt.Errorf("mark artifact-priv-key-file as required: %w", err))
+	}
+	if err := createArtifactKeyCmd.MarkFlagRequired("artifact-pub-key-file"); err != nil {
+		panic(fmt.Errorf("mark artifact-pub-key-file as required: %w", err))
+	}
+	if err := createArtifactKeyCmd.MarkFlagRequired("expiration"); err != nil {
+		panic(fmt.Errorf("mark expiration as required: %w", err))
+	}
+
+	rootCmd.AddCommand(bundlePubKeysCmd)
+
+	bundlePubKeysCmd.Flags().StringVar(&bundlePubKeysRootPrivKeyFile, "root-private-key-file", "", "Path to the root private key file used to sign the bundle")
+	bundlePubKeysCmd.Flags().StringArrayVar(&bundlePubKeysPubKeyFiles, "artifact-pub-key-file", nil, "Path(s) to the artifact public key files to include in the bundle (can be repeated)")
+	bundlePubKeysCmd.Flags().StringVar(&bundlePubKeysFile, "bundle-pub-key-file", "", "Path where the public keys will be saved")
+
+	if err := bundlePubKeysCmd.MarkFlagRequired("root-private-key-file"); err != nil {
+		panic(fmt.Errorf("mark root-private-key-file as required: %w", err))
+	}
+	if err := bundlePubKeysCmd.MarkFlagRequired("artifact-pub-key-file"); err != nil {
+		panic(fmt.Errorf("mark artifact-pub-key-file as required: %w", err))
+	}
+	if err := bundlePubKeysCmd.MarkFlagRequired("bundle-pub-key-file"); err != nil {
+		panic(fmt.Errorf("mark bundle-pub-key-file as required: %w", err))
+	}
+}
+
+func handleCreateArtifactKey(cmd *cobra.Command, rootPrivKeyFile, artifactPrivKeyFile, artifactPubKeyFile string, expiration time.Duration) error {
+	cmd.Println("Creating new artifact signing key...")
+
+	privKeyPEM, err := os.ReadFile(rootPrivKeyFile)
+	if err != nil {
+		return fmt.Errorf("read root private key file: %w", err)
+	}
+
+	privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
+	if err != nil {
+		return fmt.Errorf("failed to parse private root key: %w", err)
+	}
+
+	artifactKey, privPEM, pubPEM, signature, err := reposign.GenerateArtifactKey(privateRootKey, expiration)
+	if err != nil {
+		return fmt.Errorf("generate artifact key: %w", err)
+	}
+
+	if err := os.WriteFile(artifactPrivKeyFile, privPEM, 0o600); err != nil {
+		return fmt.Errorf("write private key file (%s): %w", artifactPrivKeyFile, err)
+	}
+
+	if err := os.WriteFile(artifactPubKeyFile, pubPEM, 0o600); err != nil {
+		return fmt.Errorf("write public key file (%s): %w", artifactPubKeyFile, err)
+	}
+
+	signatureFile := artifactPubKeyFile + ".sig"
+	if err := os.WriteFile(signatureFile, signature, 0o600); err != nil {
+		return fmt.Errorf("write signature file (%s): %w", signatureFile, err)
+	}
+
+	cmd.Printf("✅ Artifact key created successfully.\n")
+	cmd.Printf("%s\n", artifactKey.String())
+	return nil
+}
+
+func handleBundlePubKeys(cmd *cobra.Command, rootPrivKeyFile string, artifactPubKeyFiles []string, bundlePubKeysFile string) error {
+	cmd.Println("📦 Bundling public keys into signed package...")
+
+	privKeyPEM, err := os.ReadFile(rootPrivKeyFile)
+	if err != nil {
+		return fmt.Errorf("read root private key file: %w", err)
+	}
+
+	privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
+	if err != nil {
+		return fmt.Errorf("failed to parse private root key: %w", err)
+	}
+
+	publicKeys := make([]reposign.PublicKey, 0, len(artifactPubKeyFiles))
+	for _, pubFile := range artifactPubKeyFiles {
+		pubPem, err := os.ReadFile(pubFile)
+		if err != nil {
+			return fmt.Errorf("read public key file: %w", err)
+		}
+
+		pk, err := reposign.ParseArtifactPubKey(pubPem)
+		if err != nil {
+			return fmt.Errorf("failed to parse artifact key: %w", err)
+		}
+		publicKeys = append(publicKeys, pk)
+	}
+
+	parsedKeys, signature, err := reposign.BundleArtifactKeys(privateRootKey, publicKeys)
+	if err != nil {
+		return fmt.Errorf("bundle artifact keys: %w", err)
+	}
+
+	if err := os.WriteFile(bundlePubKeysFile, parsedKeys, 0o600); err != nil {
+		return fmt.Errorf("write public keys file (%s): %w", bundlePubKeysFile, err)
+	}
+
+	signatureFile := bundlePubKeysFile + ".sig"
+	if err := os.WriteFile(signatureFile, signature, 0o600); err != nil {
+		return fmt.Errorf("write signature file (%s): %w", signatureFile, err)
+	}
+
+	cmd.Printf("✅ Bundle created with %d public keys.\n", len(artifactPubKeyFiles))
+	return nil
+}
--- a/client/cmd/signer/artifactsign.go
+++ b/client/cmd/signer/artifactsign.go
@@ -0,0 +1,276 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
+)
+
+const (
+	envArtifactPrivateKey = "NB_ARTIFACT_PRIV_KEY"
+)
+
+var (
+	signArtifactPrivKeyFile  string
+	signArtifactArtifactFile string
+
+	verifyArtifactPubKeyFile    string
+	verifyArtifactFile          string
+	verifyArtifactSignatureFile string
+
+	verifyArtifactKeyPubKeyFile     string
+	verifyArtifactKeyRootPubKeyFile string
+	verifyArtifactKeySignatureFile  string
+	verifyArtifactKeyRevocationFile string
+)
+
+var signArtifactCmd = &cobra.Command{
+	Use:   "sign-artifact",
+	Short: "Sign an artifact using an artifact private key",
+	Long: `Sign a software artifact (e.g., update bundle or binary) using the artifact's private key.
+This command produces a detached signature that can be verified using the corresponding artifact public key.`,
+	SilenceUsage: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := handleSignArtifact(cmd, signArtifactPrivKeyFile, signArtifactArtifactFile); err != nil {
+			return fmt.Errorf("failed to sign artifact: %w", err)
+		}
+		return nil
+	},
+}
+
+var verifyArtifactCmd = &cobra.Command{
+	Use:          "verify-artifact",
+	Short:        "Verify an artifact signature using an artifact public key",
+	Long:         `Verify a software artifact signature using the artifact's public key.`,
+	SilenceUsage: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := handleVerifyArtifact(cmd, verifyArtifactPubKeyFile, verifyArtifactFile, verifyArtifactSignatureFile); err != nil {
+			return fmt.Errorf("failed to verify artifact: %w", err)
+		}
+		return nil
+	},
+}
+
+var verifyArtifactKeyCmd = &cobra.Command{
+	Use:   "verify-artifact-key",
+	Short: "Verify an artifact public key was signed by a root key",
+	Long: `Verify that an artifact public key (or bundle) was properly signed by a root key.
+This validates the chain of trust from the root key to the artifact key.`,
+	SilenceUsage: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := handleVerifyArtifactKey(cmd, verifyArtifactKeyPubKeyFile, verifyArtifactKeyRootPubKeyFile, verifyArtifactKeySignatureFile, verifyArtifactKeyRevocationFile); err != nil {
+			return fmt.Errorf("failed to verify artifact key: %w", err)
+		}
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(signArtifactCmd)
+	rootCmd.AddCommand(verifyArtifactCmd)
+	rootCmd.AddCommand(verifyArtifactKeyCmd)
+
+	signArtifactCmd.Flags().StringVar(&signArtifactPrivKeyFile, "artifact-key-file", "", fmt.Sprintf("Path to the artifact private key file used for signing (or set %s env var)", envArtifactPrivateKey))
+	signArtifactCmd.Flags().StringVar(&signArtifactArtifactFile, "artifact-file", "", "Path to the artifact to be signed")
+
+	// artifact-file is required, but artifact-key-file can come from env var
+	if err := signArtifactCmd.MarkFlagRequired("artifact-file"); err != nil {
+		panic(fmt.Errorf("mark artifact-file as required: %w", err))
+	}
+
+	verifyArtifactCmd.Flags().StringVar(&verifyArtifactPubKeyFile, "artifact-public-key-file", "", "Path to the artifact public key file")
+	verifyArtifactCmd.Flags().StringVar(&verifyArtifactFile, "artifact-file", "", "Path to the artifact to be verified")
+	verifyArtifactCmd.Flags().StringVar(&verifyArtifactSignatureFile, "signature-file", "", "Path to the signature file")
+
+	if err := verifyArtifactCmd.MarkFlagRequired("artifact-public-key-file"); err != nil {
+		panic(fmt.Errorf("mark artifact-public-key-file as required: %w", err))
+	}
+	if err := verifyArtifactCmd.MarkFlagRequired("artifact-file"); err != nil {
+		panic(fmt.Errorf("mark artifact-file as required: %w", err))
+	}
+	if err := verifyArtifactCmd.MarkFlagRequired("signature-file"); err != nil {
+		panic(fmt.Errorf("mark signature-file as required: %w", err))
+	}
+
+	verifyArtifactKeyCmd.Flags().StringVar(&verifyArtifactKeyPubKeyFile, "artifact-key-file", "", "Path to the artifact public key file or bundle")
+	verifyArtifactKeyCmd.Flags().StringVar(&verifyArtifactKeyRootPubKeyFile, "root-key-file", "", "Path to the root public key file or bundle")
+	verifyArtifactKeyCmd.Flags().StringVar(&verifyArtifactKeySignatureFile, "signature-file", "", "Path to the signature file")
+	verifyArtifactKeyCmd.Flags().StringVar(&verifyArtifactKeyRevocationFile, "revocation-file", "", "Path to the revocation list file (optional)")
+
+	if err := verifyArtifactKeyCmd.MarkFlagRequired("artifact-key-file"); err != nil {
+		panic(fmt.Errorf("mark artifact-key-file as required: %w", err))
+	}
+	if err := verifyArtifactKeyCmd.MarkFlagRequired("root-key-file"); err != nil {
+		panic(fmt.Errorf("mark root-key-file as required: %w", err))
+	}
+	if err := verifyArtifactKeyCmd.MarkFlagRequired("signature-file"); err != nil {
+		panic(fmt.Errorf("mark signature-file as required: %w", err))
+	}
+}
+
+func handleSignArtifact(cmd *cobra.Command, privKeyFile, artifactFile string) error {
+	cmd.Println("🖋️  Signing artifact...")
+
+	// Load private key from env var or file
+	var privKeyPEM []byte
+	var err error
+
+	if envKey := os.Getenv(envArtifactPrivateKey); envKey != "" {
+		// Use key from environment variable
+		privKeyPEM = []byte(envKey)
+	} else if privKeyFile != "" {
+		// Fall back to file
+		privKeyPEM, err = os.ReadFile(privKeyFile)
+		if err != nil {
+			return fmt.Errorf("read private key file: %w", err)
+		}
+	} else {
+		return fmt.Errorf("artifact private key must be provided via %s environment variable or --artifact-key-file flag", envArtifactPrivateKey)
+	}
+
+	privateKey, err := reposign.ParseArtifactKey(privKeyPEM)
+	if err != nil {
+		return fmt.Errorf("failed to parse artifact private key: %w", err)
+	}
+
+	artifactData, err := os.ReadFile(artifactFile)
+	if err != nil {
+		return fmt.Errorf("read artifact file: %w", err)
+	}
+
+	signature, err := reposign.SignData(privateKey, artifactData)
+	if err != nil {
+		return fmt.Errorf("sign artifact: %w", err)
+	}
+
+	sigFile := artifactFile + ".sig"
+	if err := os.WriteFile(artifactFile+".sig", signature, 0o600); err != nil {
+		return fmt.Errorf("write signature file (%s): %w", sigFile, err)
+	}
+
+	cmd.Printf("✅ Artifact signed successfully.\n")
+	cmd.Printf("Signature file: %s\n", sigFile)
+	return nil
+}
+
+func handleVerifyArtifact(cmd *cobra.Command, pubKeyFile, artifactFile, signatureFile string) error {
+	cmd.Println("🔍 Verifying artifact...")
+
+	// Read artifact public key
+	pubKeyPEM, err := os.ReadFile(pubKeyFile)
+	if err != nil {
+		return fmt.Errorf("read public key file: %w", err)
+	}
+
+	publicKey, err := reposign.ParseArtifactPubKey(pubKeyPEM)
+	if err != nil {
+		return fmt.Errorf("failed to parse artifact public key: %w", err)
+	}
+
+	// Read artifact data
+	artifactData, err := os.ReadFile(artifactFile)
+	if err != nil {
+		return fmt.Errorf("read artifact file: %w", err)
+	}
+
+	// Read signature
+	sigBytes, err := os.ReadFile(signatureFile)
+	if err != nil {
+		return fmt.Errorf("read signature file: %w", err)
+	}
+
+	signature, err := reposign.ParseSignature(sigBytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse signature: %w", err)
+	}
+
+	// Validate artifact
+	if err := reposign.ValidateArtifact([]reposign.PublicKey{publicKey}, artifactData, *signature); err != nil {
+		return fmt.Errorf("artifact verification failed: %w", err)
+	}
+
+	cmd.Println("✅ Artifact signature is valid")
+	cmd.Printf("Artifact: %s\n", artifactFile)
+	cmd.Printf("Signed by key: %s\n", signature.KeyID)
+	cmd.Printf("Signature timestamp: %s\n", signature.Timestamp.Format("2006-01-02 15:04:05 MST"))
+	return nil
+}
+
+func handleVerifyArtifactKey(cmd *cobra.Command, artifactKeyFile, rootKeyFile, signatureFile, revocationFile string) error {
+	cmd.Println("🔍 Verifying artifact key...")
+
+	// Read artifact key data
+	artifactKeyData, err := os.ReadFile(artifactKeyFile)
+	if err != nil {
+		return fmt.Errorf("read artifact key file: %w", err)
+	}
+
+	// Read root public key(s)
+	rootKeyData, err := os.ReadFile(rootKeyFile)
+	if err != nil {
+		return fmt.Errorf("read root key file: %w", err)
+	}
+
+	rootPublicKeys, err := parseRootPublicKeys(rootKeyData)
+	if err != nil {
+		return fmt.Errorf("failed to parse root public key(s): %w", err)
+	}
+
+	// Read signature
+	sigBytes, err := os.ReadFile(signatureFile)
+	if err != nil {
+		return fmt.Errorf("read signature file: %w", err)
+	}
+
+	signature, err := reposign.ParseSignature(sigBytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse signature: %w", err)
+	}
+
+	// Read optional revocation list
+	var revocationList *reposign.RevocationList
+	if revocationFile != "" {
+		revData, err := os.ReadFile(revocationFile)
+		if err != nil {
+			return fmt.Errorf("read revocation file: %w", err)
+		}
+
+		revocationList, err = reposign.ParseRevocationList(revData)
+		if err != nil {
+			return fmt.Errorf("failed to parse revocation list: %w", err)
+		}
+	}
+
+	// Validate artifact key(s)
+	validKeys, err := reposign.ValidateArtifactKeys(rootPublicKeys, artifactKeyData, *signature, revocationList)
+	if err != nil {
+		return fmt.Errorf("artifact key verification failed: %w", err)
+	}
+
+	cmd.Println("✅ Artifact key(s) verified successfully")
+	cmd.Printf("Signed by root key: %s\n", signature.KeyID)
+	cmd.Printf("Signature timestamp: %s\n", signature.Timestamp.Format("2006-01-02 15:04:05 MST"))
+	cmd.Printf("\nValid artifact keys (%d):\n", len(validKeys))
+	for i, key := range validKeys {
+		cmd.Printf("  [%d] Key ID: %s\n", i+1, key.Metadata.ID)
+		cmd.Printf("      Created: %s\n", key.Metadata.CreatedAt.Format("2006-01-02 15:04:05 MST"))
+		if !key.Metadata.ExpiresAt.IsZero() {
+			cmd.Printf("      Expires: %s\n", key.Metadata.ExpiresAt.Format("2006-01-02 15:04:05 MST"))
+		} else {
+			cmd.Printf("      Expires: Never\n")
+		}
+	}
+	return nil
+}
+
+// parseRootPublicKeys parses a root public key from PEM data
+func parseRootPublicKeys(data []byte) ([]reposign.PublicKey, error) {
+	key, err := reposign.ParseRootPublicKey(data)
+	if err != nil {
+		return nil, err
+	}
+	return []reposign.PublicKey{key}, nil
+}
--- a/client/cmd/signer/main.go
+++ b/client/cmd/signer/main.go
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "signer",
+	Short: "A CLI tool for managing cryptographic keys and artifacts",
+	Long: `signer is a command-line tool that helps you manage
+root keys, artifact keys, and revocation lists securely.`,
+}
+
+func main() {
+	if err := rootCmd.Execute(); err != nil {
+		rootCmd.Println(err)
+		os.Exit(1)
+	}
+}
--- a/client/cmd/signer/revocation.go
+++ b/client/cmd/signer/revocation.go
@@ -0,0 +1,220 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
+)
+
+const (
+	defaultRevocationListExpiration = 365 * 24 * time.Hour // 1 year
+)
+
+var (
+	keyID              string
+	revocationListFile string
+	privateRootKeyFile string
+	publicRootKeyFile  string
+	signatureFile      string
+	expirationDuration time.Duration
+)
+
+var createRevocationListCmd = &cobra.Command{
+	Use:          "create-revocation-list",
+	Short:        "Create a new revocation list signed by the private root key",
+	SilenceUsage: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return handleCreateRevocationList(cmd, revocationListFile, privateRootKeyFile)
+	},
+}
+
+var extendRevocationListCmd = &cobra.Command{
+	Use:          "extend-revocation-list",
+	Short:        "Extend an existing revocation list with a given key ID",
+	SilenceUsage: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return handleExtendRevocationList(cmd, keyID, revocationListFile, privateRootKeyFile)
+	},
+}
+
+var verifyRevocationListCmd = &cobra.Command{
+	Use:          "verify-revocation-list",
+	Short:        "Verify a revocation list signature using the public root key",
+	SilenceUsage: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return handleVerifyRevocationList(cmd, revocationListFile, signatureFile, publicRootKeyFile)
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(createRevocationListCmd)
+	rootCmd.AddCommand(extendRevocationListCmd)
+	rootCmd.AddCommand(verifyRevocationListCmd)
+
+	createRevocationListCmd.Flags().StringVar(&revocationListFile, "revocation-list-file", "", "Path to the existing revocation list file")
+	createRevocationListCmd.Flags().StringVar(&privateRootKeyFile, "private-root-key", "", "Path to the private root key PEM file")
+	createRevocationListCmd.Flags().DurationVar(&expirationDuration, "expiration", defaultRevocationListExpiration, "Expiration duration for the revocation list (e.g., 8760h for 1 year)")
+	if err := createRevocationListCmd.MarkFlagRequired("revocation-list-file"); err != nil {
+		panic(err)
+	}
+	if err := createRevocationListCmd.MarkFlagRequired("private-root-key"); err != nil {
+		panic(err)
+	}
+
+	extendRevocationListCmd.Flags().StringVar(&keyID, "key-id", "", "ID of the key to extend the revocation list for")
+	extendRevocationListCmd.Flags().StringVar(&revocationListFile, "revocation-list-file", "", "Path to the existing revocation list file")
+	extendRevocationListCmd.Flags().StringVar(&privateRootKeyFile, "private-root-key", "", "Path to the private root key PEM file")
+	extendRevocationListCmd.Flags().DurationVar(&expirationDuration, "expiration", defaultRevocationListExpiration, "Expiration duration for the revocation list (e.g., 8760h for 1 year)")
+	if err := extendRevocationListCmd.MarkFlagRequired("key-id"); err != nil {
+		panic(err)
+	}
+	if err := extendRevocationListCmd.MarkFlagRequired("revocation-list-file"); err != nil {
+		panic(err)
+	}
+	if err := extendRevocationListCmd.MarkFlagRequired("private-root-key"); err != nil {
+		panic(err)
+	}
+
+	verifyRevocationListCmd.Flags().StringVar(&revocationListFile, "revocation-list-file", "", "Path to the revocation list file")
+	verifyRevocationListCmd.Flags().StringVar(&signatureFile, "signature-file", "", "Path to the signature file")
+	verifyRevocationListCmd.Flags().StringVar(&publicRootKeyFile, "public-root-key", "", "Path to the public root key PEM file")
+	if err := verifyRevocationListCmd.MarkFlagRequired("revocation-list-file"); err != nil {
+		panic(err)
+	}
+	if err := verifyRevocationListCmd.MarkFlagRequired("signature-file"); err != nil {
+		panic(err)
+	}
+	if err := verifyRevocationListCmd.MarkFlagRequired("public-root-key"); err != nil {
+		panic(err)
+	}
+}
+
+func handleCreateRevocationList(cmd *cobra.Command, revocationListFile string, privateRootKeyFile string) error {
+	privKeyPEM, err := os.ReadFile(privateRootKeyFile)
+	if err != nil {
+		return fmt.Errorf("failed to read private root key file: %w", err)
+	}
+
+	privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
+	if err != nil {
+		return fmt.Errorf("failed to parse private root key: %w", err)
+	}
+
+	rlBytes, sigBytes, err := reposign.CreateRevocationList(*privateRootKey, expirationDuration)
+	if err != nil {
+		return fmt.Errorf("failed to create revocation list: %w", err)
+	}
+
+	if err := writeOutputFiles(revocationListFile, revocationListFile+".sig", rlBytes, sigBytes); err != nil {
+		return fmt.Errorf("failed to write output files: %w", err)
+	}
+
+	cmd.Println("✅ Revocation list created successfully")
+	return nil
+}
+
+func handleExtendRevocationList(cmd *cobra.Command, keyID, revocationListFile, privateRootKeyFile string) error {
+	privKeyPEM, err := os.ReadFile(privateRootKeyFile)
+	if err != nil {
+		return fmt.Errorf("failed to read private root key file: %w", err)
+	}
+
+	privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
+	if err != nil {
+		return fmt.Errorf("failed to parse private root key: %w", err)
+	}
+
+	rlBytes, err := os.ReadFile(revocationListFile)
+	if err != nil {
+		return fmt.Errorf("failed to read revocation list file: %w", err)
+	}
+
+	rl, err := reposign.ParseRevocationList(rlBytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse revocation list: %w", err)
+	}
+
+	kid, err := reposign.ParseKeyID(keyID)
+	if err != nil {
+		return fmt.Errorf("invalid key ID: %w", err)
+	}
+
+	newRLBytes, sigBytes, err := reposign.ExtendRevocationList(*privateRootKey, *rl, kid, expirationDuration)
+	if err != nil {
+		return fmt.Errorf("failed to extend revocation list: %w", err)
+	}
+
+	if err := writeOutputFiles(revocationListFile, revocationListFile+".sig", newRLBytes, sigBytes); err != nil {
+		return fmt.Errorf("failed to write output files: %w", err)
+	}
+
+	cmd.Println("✅ Revocation list extended successfully")
+	return nil
+}
+
+func handleVerifyRevocationList(cmd *cobra.Command, revocationListFile, signatureFile, publicRootKeyFile string) error {
+	// Read revocation list file
+	rlBytes, err := os.ReadFile(revocationListFile)
+	if err != nil {
+		return fmt.Errorf("failed to read revocation list file: %w", err)
+	}
+
+	// Read signature file
+	sigBytes, err := os.ReadFile(signatureFile)
+	if err != nil {
+		return fmt.Errorf("failed to read signature file: %w", err)
+	}
+
+	// Read public root key file
+	pubKeyPEM, err := os.ReadFile(publicRootKeyFile)
+	if err != nil {
+		return fmt.Errorf("failed to read public root key file: %w", err)
+	}
+
+	// Parse public root key
+	publicKey, err := reposign.ParseRootPublicKey(pubKeyPEM)
+	if err != nil {
+		return fmt.Errorf("failed to parse public root key: %w", err)
+	}
+
+	// Parse signature
+	signature, err := reposign.ParseSignature(sigBytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse signature: %w", err)
+	}
+
+	// Validate revocation list
+	rl, err := reposign.ValidateRevocationList([]reposign.PublicKey{publicKey}, rlBytes, *signature)
+	if err != nil {
+		return fmt.Errorf("failed to validate revocation list: %w", err)
+	}
+
+	// Display results
+	cmd.Println("✅ Revocation list signature is valid")
+	cmd.Printf("Last Updated: %s\n", rl.LastUpdated.Format(time.RFC3339))
+	cmd.Printf("Expires At: %s\n", rl.ExpiresAt.Format(time.RFC3339))
+	cmd.Printf("Number of revoked keys: %d\n", len(rl.Revoked))
+
+	if len(rl.Revoked) > 0 {
+		cmd.Println("\nRevoked Keys:")
+		for keyID, revokedTime := range rl.Revoked {
+			cmd.Printf("  - %s (revoked at: %s)\n", keyID, revokedTime.Format(time.RFC3339))
+		}
+	}
+
+	return nil
+}
+
+func writeOutputFiles(rlPath, sigPath string, rlBytes, sigBytes []byte) error {
+	if err := os.WriteFile(rlPath, rlBytes, 0o600); err != nil {
+		return fmt.Errorf("failed to write revocation list file: %w", err)
+	}
+	if err := os.WriteFile(sigPath, sigBytes, 0o600); err != nil {
+		return fmt.Errorf("failed to write signature file: %w", err)
+	}
+	return nil
+}
--- a/client/cmd/signer/rootkey.go
+++ b/client/cmd/signer/rootkey.go
@@ -0,0 +1,74 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
+)
+
+var (
+	privKeyFile    string
+	pubKeyFile     string
+	rootExpiration time.Duration
+)
+
+var createRootKeyCmd = &cobra.Command{
+	Use:          "create-root-key",
+	Short:        "Create a new root key pair",
+	Long:         `Create a new root key pair and specify an expiration time for it.`,
+	SilenceUsage: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		// Validate expiration
+		if rootExpiration <= 0 {
+			return fmt.Errorf("--expiration must be a positive duration (e.g., 720h, 365d, 8760h)")
+		}
+
+		// Run main logic
+		if err := handleGenerateRootKey(cmd, privKeyFile, pubKeyFile, rootExpiration); err != nil {
+			return fmt.Errorf("failed to generate root key: %w", err)
+		}
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(createRootKeyCmd)
+	createRootKeyCmd.Flags().StringVar(&privKeyFile, "priv-key-file", "", "Path to output private key file")
+	createRootKeyCmd.Flags().StringVar(&pubKeyFile, "pub-key-file", "", "Path to output public key file")
+	createRootKeyCmd.Flags().DurationVar(&rootExpiration, "expiration", 0, "Expiration time for the root key (e.g., 720h,)")
+
+	if err := createRootKeyCmd.MarkFlagRequired("priv-key-file"); err != nil {
+		panic(err)
+	}
+	if err := createRootKeyCmd.MarkFlagRequired("pub-key-file"); err != nil {
+		panic(err)
+	}
+	if err := createRootKeyCmd.MarkFlagRequired("expiration"); err != nil {
+		panic(err)
+	}
+}
+
+func handleGenerateRootKey(cmd *cobra.Command, privKeyFile, pubKeyFile string, expiration time.Duration) error {
+	rk, privPEM, pubPEM, err := reposign.GenerateRootKey(expiration)
+	if err != nil {
+		return fmt.Errorf("generate root key: %w", err)
+	}
+
+	// Write private key
+	if err := os.WriteFile(privKeyFile, privPEM, 0o600); err != nil {
+		return fmt.Errorf("write private key file (%s): %w", privKeyFile, err)
+	}
+
+	// Write public key
+	if err := os.WriteFile(pubKeyFile, pubPEM, 0o600); err != nil {
+		return fmt.Errorf("write public key file (%s): %w", pubKeyFile, err)
+	}
+
+	cmd.Printf("%s\n\n", rk.String())
+	cmd.Printf("✅ Root key pair generated successfully.\n")
+	return nil
+}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -197,7 +197,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	r := peer.NewRecorder(config.ManagementURL.String())
 	r.GetFullStatus()

-	connectClient := internal.NewConnectClient(ctx, config, r)
+	connectClient := internal.NewConnectClient(ctx, config, r, false)
 	SetupDebugHandler(ctx, config, r, connectClient, "")

 	return connectClient.Run(nil)
--- a/client/cmd/update.go
+++ b/client/cmd/update.go
@@ -0,0 +1,13 @@
+//go:build !windows && !darwin
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var updateCmd *cobra.Command
+
+func isUpdateBinary() bool {
+	return false
+}
--- a/client/cmd/update_supported.go
+++ b/client/cmd/update_supported.go
@@ -0,0 +1,75 @@
+//go:build windows || darwin
+
+package cmd
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/internal/updatemanager/installer"
+	"github.com/netbirdio/netbird/util"
+)
+
+var (
+	updateCmd = &cobra.Command{
+		Use:   "update",
+		Short: "Update the NetBird client application",
+		RunE:  updateFunc,
+	}
+
+	tempDirFlag    string
+	installerFile  string
+	serviceDirFlag string
+	dryRunFlag     bool
+)
+
+func init() {
+	updateCmd.Flags().StringVar(&tempDirFlag, "temp-dir", "", "temporary dir")
+	updateCmd.Flags().StringVar(&installerFile, "installer-file", "", "installer file")
+	updateCmd.Flags().StringVar(&serviceDirFlag, "service-dir", "", "service directory")
+	updateCmd.Flags().BoolVar(&dryRunFlag, "dry-run", false, "dry run the update process without making any changes")
+}
+
+// isUpdateBinary checks if the current executable is named "update" or "update.exe"
+func isUpdateBinary() bool {
+	// Remove extension for cross-platform compatibility
+	execPath, err := os.Executable()
+	if err != nil {
+		return false
+	}
+	baseName := filepath.Base(execPath)
+	name := strings.TrimSuffix(baseName, filepath.Ext(baseName))
+
+	return name == installer.UpdaterBinaryNameWithoutExtension()
+}
+
+func updateFunc(cmd *cobra.Command, args []string) error {
+	if err := setupLogToFile(tempDirFlag); err != nil {
+		return err
+	}
+
+	log.Infof("updater started: %s", serviceDirFlag)
+	updater := installer.NewWithDir(tempDirFlag)
+	if err := updater.Setup(context.Background(), dryRunFlag, installerFile, serviceDirFlag); err != nil {
+		log.Errorf("failed to update application: %v", err)
+		return err
+	}
+	return nil
+}
+
+func setupLogToFile(dir string) error {
+	logFile := filepath.Join(dir, installer.LogFile)
+
+	if _, err := os.Stat(logFile); err == nil {
+		if err := os.Remove(logFile); err != nil {
+			log.Errorf("failed to remove existing log file: %v\n", err)
+		}
+	}
+
+	return util.InitLog(logLevel, util.LogConsole, logFile)
+}