Ship signed updates from CI without running a patch server.

Patchline publishes signed release manifests to S3 or any static host. Your app fetches them, verifies signatures, and applies whole-file updates atomically. That's the whole thing.

Read the docs → GitHub
$ go install github.com/ethan-mdev/patchline/cmd/patchline@latest copy
~/my-game
$ patchline publish --version 1.2.0 --channel beta ./dist scanning 847 files · 412.3 MB uploading 23 new objects (8.1 MB) · 824 reused from storage signing ed25519 · canonical manifest verifying 847 objects present in backend published 1.2.0 → channel: beta · 2.3s $ patchline promote --version 1.2.0 --channel stable verifying manifest signature · 847 objects present promoted stable now points at 1.2.0 · 0.4s
What you get

A small toolkit for the boring, important parts of shipping updates.

01

Signed by default

Every release manifest is signed with Ed25519. Clients verify signatures against the literal payload bytes — unknown future fields survive verification. Unsigned publishes require an explicit --unsigned-dev flag.

02

Content-addressed storage

Files live under their SHA-256. Republishing builds that share assets is free — objects already in storage don't get re-uploaded. Garbage collection is a set difference between retained manifests and stored objects.

03

Channels, promote, rollback

Channels are independent mutable pointers at immutable release manifests. Promote and rollback rewrite a single pointer file — they never re-upload bytes. A failed publish never advances a channel to objects that aren't in storage.

04

Any static host

Local filesystem or any S3-compatible bucket — AWS S3, Cloudflare R2, DigitalOcean Spaces, MinIO. No patch server, no central API. Your release tree is just static files behind whatever host or CDN you already use.

How it works

Three pieces. No central service in the middle.

patchline CLI
scans, hashes,
signs, uploads
publish
static host
S3 / R2 / Spaces
or local dir
fetch
your app
verifies, plans,
applies updates
Quickstart

Publish a signed release in two minutes.

Install the CLI, generate a signing keypair, point it at a build directory, publish. Patchline handles scanning, hashing, signing, deduping, uploading, and channel advancement.

Read the full quickstart →
# install go install github.com/ethan-mdev/patchline/cmd/patchline@latest # generate an ed25519 signing keypair patchline keygen --private-out ./patchline.key --public-out ./patchline.pub # publish your first release patchline publish --app-id com.example.game --version 1.0.0 \ --channel beta --signing-key ./patchline.key ./build # verify and promote patchline verify --channel beta --public-key ./patchline.pub patchline promote --version 1.0.0 --channel stable \ --signing-key ./patchline.key