Agent Self-Updates
How Self-Updates Work
- During heartbeat, the backend includes the latest agent version information
- If a newer version is available, the agent downloads the new binary
- The agent verifies the binary's Ed25519 signature (detached signature of SHA256 hash)
- The agent replaces itself with the new binary
- The service manager (systemd/SCM/launchd) restarts the agent
Version Management
Upload new agent versions through the web UI:
- Navigate to Agents → Versions
- Upload the new binary for each platform/architecture
- The backend automatically signs the binary with its Ed25519 private key
- Agents will pick up the update on their next heartbeat
Security
- Binaries are signed with Ed25519 — the server's private key signs the SHA256 hash
- The agent's public key (received during enrollment) verifies the signature
- Unsigned or tampered binaries are rejected
- Updates are delivered via HTTPS with TLS enforcement
Zero-Downtime
The update process is designed for zero downtime:
- New binary downloaded to a temporary location
- Signature verified
- Atomic rename replaces the old binary
- Service restarts automatically