restorable docs
Lifecycle

Updating the agent

The agent ships as a signed distro package. Upgrades use the same apt or dnf you already run for every other package on the host: same signature chain, same unattended cadence, same rollback story. Restorable never initiates an update; the agent never reaches out to fetch one on its own.

Interactive upgrade

On Debian / Ubuntu:

sudo apt update
sudo apt upgrade restorable

On RHEL / Rocky / AlmaLinux / Amazon Linux:

sudo dnf upgrade restorable

The package runs systemctl try-restart in its post-install script, so a running service picks up the new binary automatically after the upgrade transaction commits. A stopped service stays stopped. In-flight restore tests are not interrupted mid-session; the service restarts after the current tick completes.

Unattended upgrades

Both families have mature unattended-upgrade tooling. Enable it once and Restorable rides whichever cadence your security team already runs.

Debian / Ubuntu: unattended-upgrades

sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

By default, unattended-upgrades only pulls from security origins. To include the Restorable repo, add it to /etc/apt/apt.conf.d/50unattended-upgrades: 

Unattended-Upgrade::Origins-Pattern {
    "origin=Restorable";
};

The Origin field in our Release file is Restorable, so that pattern matches every package we ship without matching anything else in /etc/apt/sources.list.d/.

RHEL family: dnf-automatic

sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

Default config at /etc/dnf/automatic.conf has apply_updates = no. Flip it to yes to actually install fetched updates: 

[commands]
apply_updates = yes
upgrade_type = default

dnf-automatic.timer runs daily; the upgrade includes any new restorable in the repo.

Rolling back

The last ten versions stay in the repo so downgrades via the package manager work without special flags.

On apt:

sudo apt install restorable=<old-version>

On dnf:

sudo dnf downgrade restorable

dnf downgrade with no version argument goes back one step. Pin to an explicit version with sudo dnf install restorable-<old-version>. All historical agents remain trust-rooted against the same GPG release key; nothing on your side needs to change.

Pinning a version

When your change-management policy requires explicit approval per release, hold the package at a specific version: 

sudo apt-mark hold restorable

Releases then require an explicit sudo apt-mark unhold restorable && sudo apt upgrade restorable. Same idea on dnf via dnf versionlock.

EOL and security advisories

Every release has a 12-month security-patch window. Past EOL:

  • The agent continues to run. Receipts keep being produced and remain verifiable forever.
  • The dashboard flags the agent with a red "security patch pending" banner.
  • The weekly evidence email footer includes a line noting the lag.

The agent does not refuse to start on EOL versions: breaking audit continuity to punish upgrade laziness would be worse than the CVE exposure. The warnings exist so you know when to patch.

Container installs

Container deployments pin a digest and pull a new one during the next image refresh. The dashboard's version-lag banner still reports the running image version so you know when to bump the tag in your Helm values or Compose file.

Deferred distros (manual install)

Customers on distros outside the launch matrix (Fedora, SUSE, Alpine, Arch, older enterprise Linux) install the raw binary directly. To upgrade, re-run the same sequence against the new version: 

VERSION=v0.7.2
ARCH=linux-amd64
curl -fsSL "https://get.restorable.app/${VERSION}/restorable-${ARCH}"         -o restorable
curl -fsSL "https://get.restorable.app/${VERSION}/restorable-${ARCH}.minisig" -o restorable.minisig
curl -fsSL "https://get.restorable.app/pub/restorable-release.pub" -o release.pub
minisign -Vm restorable -p release.pub
sudo install -m 0755 -o root -g root restorable /usr/local/bin/restorable
sudo systemctl restart restorable

No auto-update on this path. Subscribe to the release feed so you don't miss a security patch.

Verifying the trust chain yourself

The GPG release key that signs the apt / rpm repos is published at get.restorable.app/pub/restorable-release.gpg (fingerprint printed inline during install and cross-posted on the trust page). To spot-check a package: 

curl -fsSL https://get.restorable.app/pub/restorable-release.gpg -o release.gpg
apt-get download restorable
dpkg-sig --verify restorable_*.deb

On RPM: 

sudo rpm --import https://get.restorable.app/pub/restorable-release.gpg
rpm -K restorable-*.rpm

Either command must print OK (signatures verified) before you install the file. The repo's Release.gpg / repomd.xml.asc carries the same signature and is checked by apt / dnf on every apt update / dnf makecache.