feat: add release manifest and enforce certificate file verification in setupCertificate

UPDATE: Add '-no-sys' flag to skip certificate installation and system proxy setup; update README with usage examples; increment release version to 1.2-02
UPDATE: Consolidate release upload steps for Windows and macOS in build workflow
2026-05-26 18:53:28 +07:00 · 2026-05-26 14:27:36 +07:00 · 2026-05-24 10:25:05 +07:00
5 changed files with 41 additions and 44 deletions
@@ -36,29 +36,11 @@ jobs:
        run: |
          chmod +x ./script/release-uploader
-      - name: Upload Windows release
+      - name: Upload release
        env:
          REPO_TOKEN: ${{ secrets.REPO_TOKEN }}
        run: |
          script/release-uploader \
            -token="$REPO_TOKEN" \
            -release-url="https://git.kain.io.vn/api/v1/repos/Firefly-Shelter/FireflyGo_Proxy/releases" \
-            -files="firefly-go-proxy.exe"
+            -files="firefly-go-proxy.exe,firefly-go-proxy-macos-amd64,firefly-go-proxy-macos-arm64"
      - name: Upload macOS Intel release
        env:
          REPO_TOKEN: ${{ secrets.REPO_TOKEN }}
        run: |
          script/release-uploader \
            -token="$REPO_TOKEN" \
            -release-url="https://git.kain.io.vn/api/v1/repos/Firefly-Shelter/FireflyGo_Proxy/releases" \
            -files="firefly-go-proxy-macos-amd64"
      - name: Upload macOS ARM release
        env:
          REPO_TOKEN: ${{ secrets.REPO_TOKEN }}
        run: |
          script/release-uploader \
            -token="$REPO_TOKEN" \
            -release-url="https://git.kain.io.vn/api/v1/repos/Firefly-Shelter/FireflyGo_Proxy/releases" \
            -files="firefly-go-proxy-macos-arm64"
@@ -41,6 +41,7 @@ go build
 - `-b`: Comma-separated list of blocked ports
 - `-p`: Proxy listen port (default: auto)
 - `-e`: Path to an executable to run with admin privileges
 - `-no-sys`: Run only the proxy server; skip certificate installation, system proxy setup, and macOS/Linux admin relaunch
 ### Examples
@@ -76,6 +77,12 @@ go build
   On macOS/Linux, if the proxy is not already running as root, it relaunches with an administrator prompt. On Linux, logs from the elevated process are written to `/tmp/firefly-go-proxy.log`; on macOS, elevated process output is discarded.
 6. Start only the proxy server without changing system settings:
   ```bash
   ./firefly-proxy -no-sys -p 8888 //linux|macos
   ./firefly-proxy.exe -no-sys -p 8888 //windows
   ```
 ## How it works
 The proxy intercepts HTTP/HTTPS traffic and can:
@@ -10,13 +10,17 @@ import (
 const caCertName = "firefly-go-proxy-ca.crt"
-func setupCertificate() (*tls.Certificate, error) {
+func setupCertificate(installSystemCA bool) (*tls.Certificate, error) {
 	if _, err := os.Stat(caCertName); os.IsNotExist(err) {
 		if err := os.WriteFile(caCertName, goproxy.GoproxyCa.Certificate[0], 0644); err != nil {
 			return nil, err
 		}
 	}
 	if !installSystemCA {
 		return &goproxy.GoproxyCa, nil
 	}
 	absPath, err := filepath.Abs(caCertName)
 	if err != nil {
 		return nil, err
@@ -38,8 +38,10 @@ func main() {
 	proxyPort := flag.Int("p", 0, "proxy listen port (default: auto)")
 	exePath := flag.String("e", "", "path to the executable")
 	parentPID := flag.Int("parent-pid", 0, "parent process id to watch")
 	noSys := flag.Bool("no-sys", false, "skip certificate installation and system proxy setup")
 	flag.Parse()
 	if !*noSys {
 		relaunched, err := relaunchWithAdminIfNeeded()
 		if err != nil {
 			zlog.Error().Err(err).Msg("Failed to relaunch with admin privileges")
@@ -49,6 +51,7 @@ func main() {
 			zlog.Info().Msg("Relaunched with admin privileges")
 			return
 		}
 	}
 	blockedPorts := parseBlockedPorts(*blockedStr)
 	port := ""
@@ -66,7 +69,7 @@ func main() {
 		return
 	}
-	cert, err := setupCertificate()
+	cert, err := setupCertificate(!*noSys)
 	if err != nil {
 		zlog.Error().Err(err).Msg("Failed setup certificate")
 		return
@@ -74,29 +77,30 @@ func main() {
 	addr := ":" + port
 	proxyAddr := "127.0.0.1"
 	proxyEndpoint := proxyAddr + ":" + port
 	proxyEnabled := false
 	stopProxyRefresh := func() {}
 	defer func() {
 		stopProxyRefresh()
 		if r := recover(); r != nil {
 			zlog.Error().
 				Interface("panic", r).
 				Msg("Unexpected panic")
 		}
 		if proxyEnabled {
 			if err := setProxy(false, "", ""); err != nil {
 				zlog.Error().Err(err).Msg("Failed to reset system proxy")
 			}
 		}
 	}()
 	if !*noSys {
 		if err := setProxy(true, proxyAddr, port); err != nil {
 			zlog.Error().Err(err).Msg("Failed to set system proxy")
 			return
 		}
-	proxyEnabled = true
+		stopProxyRefresh := startProxyRefreshLoop(proxyAddr, port)
-	stopProxyRefresh = startProxyRefreshLoop(proxyAddr, port)
+		defer func() {
 			stopProxyRefresh()
 			if err := setProxy(false, "", ""); err != nil {
 				zlog.Error().Err(err).Msg("Failed to reset system proxy")
 			}
 		}()
 	} else {
 		zlog.Info().Msg("System certificate and proxy setup skipped")
 	}
 	customCaMitm := &goproxy.ConnectAction{Action: goproxy.ConnectMitm, TLSConfig: goproxy.TLSConfigFromCA(cert)}
 	var customAlwaysMitm goproxy.FuncHttpsHandler = func(host string, ctx *goproxy.ProxyCtx) (*goproxy.ConnectAction, string) {
@@ -1,5 +1,5 @@
 {
-    "tag": "1.2-01",
+    "tag": "1.2-03",
-    "title": "PreBuild Version 1.2 - 01"
+    "title": "PreBuild Version 1.2 - 03"
 }
Author	SHA1	Message	Date
Kain344	9cdd50f230	feat: add release manifest and enforce certificate file verification in setupCertificate Build and Release / release (push) Successful in 42s Details	2026-05-26 18:53:28 +07:00
Kain344	7bcd8b43d9	UPDATE: Add '-no-sys' flag to skip certificate installation and system proxy setup; update README with usage examples; increment release version to 1.2-02 Build and Release / release (push) Successful in 43s Details	2026-05-26 14:27:36 +07:00
Kain344	77d5a09021	UPDATE: Consolidate release upload steps for Windows and macOS in build workflow Build and Release / release (push) Successful in 41s Details	2026-05-24 10:25:05 +07:00