Overview
Routers automatically check for updates by polling a signed news feed distributed through the I2P network. When a newer version is advertised, the router downloads a cryptographically signed update archive (.su3) and stages it for installation.
This system ensures authenticated, tamper-resistant, and multi-channel distribution of official releases.
As of I2P 2.10.0, the update system uses:
- RSA-4096 / SHA-512 signatures
- SU3 container format (replacing legacy SUD/SU2)
- Redundant mirrors: in-network HTTP, clearnet HTTPS, and BitTorrent
1. News Feed
Routers poll the signed Atom feed every few hours to discover new versions and security advisories.
The feed is signed and distributed as a .su3 file, which may include:
<i2p:version>— new version number<i2p:minVersion>— minimum supported router version<i2p:minJavaVersion>— required minimum Java runtime<i2p:update>— lists multiple download mirrors (I2P, HTTPS, torrent)<i2p:revocations>— certificate revocation data<i2p:blocklist>— network-level blocklists for compromised peers
Feed Distribution
| Channel | Description | Usage |
|---|---|---|
| I2P HTTP (eepsite) | Primary update source | Private, resilient |
| Clearnet HTTPS | Fallback mirror | Public fallback |
| BitTorrent magnet | Distributed channel | Reduces mirror load |
Routers prefer the I2P feed but can fall back to clearnet or torrent distribution if necessary.
2. File Formats
SU3 (Current Standard)
Introduced in 0.9.9, SU3 replaced the legacy SUD and SU2 formats.
Each file contains a header, payload, and trailing signature.
Header Structure
| Field | Description |
|---|---|
| Magic | "I2Psu3" |
| Format Version | 0 |
| Signature Type | e.g., 0x000B (RSA-SHA512-4096) |
| Signature Length | 512 bytes |
| Version String | Router version |
| Signer ID | Certificate name |
| Content Type | 1 = router update, 3 = reseed, 4 = news feed |
Signature Verification Steps
- Parse header and identify signature algorithm.
- Verify hash and signature using stored signer certificate.
- Confirm signer not revoked.
- Compare embedded version string with payload metadata.
Routers ship with trusted signer certificates (currently zzz and str4d) and reject any unsigned or revoked sources.
SU2 (Obsolete)
- Used
.su2extension with Pack200-compressed JARs. - Removed after Java 14 deprecated Pack200 (JEP 367).
- Disabled in I2P 0.9.48+; now fully replaced by ZIP compression.
SUD (Legacy)
- Early DSA-SHA1-signed ZIP format (pre-0.9.9).
- No signer ID or header, limited integrity.
- Superseded due to weak cryptography and lack of version enforcement.
3. Update Workflow
3.1 Header Verification
Routers fetch only the SU3 header to verify the version string before downloading full files.
This prevents wasting bandwidth on stale mirrors or outdated versions.
3.2 Full Download
After verifying the header, the router downloads the complete .su3 file from:
- In-network eepsite mirrors (preferred)
- HTTPS clearnet mirrors (fallback)
- BitTorrent (optional peer-assisted distribution)
Downloads use standard I2PTunnel HTTP clients, with retries, timeout handling, and mirror fallback.
3.3 Signature Verification
Each downloaded file undergoes:
- Signature check: RSA-4096/SHA512 verification
- Version matching: Header vs. payload version check
- Downgrade prevention: Ensures update is newer than installed version
Invalid or mismatched files are discarded immediately.
3.4 Installation Staging
Once verified:
- Extract ZIP contents to temporary directory
- Remove files listed in
deletelist.txt - Replace native libraries if
lib/jbigi.jaris included - Copy signer certificates to
~/.i2p/certificates/ - Move update to
i2pupdate.zipfor application on next restart
The update installs automatically on next startup or when “Install update now” is triggered manually.
4. File Management
deletelist.txt
A plaintext list of obsolete files to remove before unpacking new contents.
Rules:
- One path per line (relative paths only)
- Lines starting with
#ignored ..and absolute paths rejected
Native Libraries
To prevent stale or mismatched native binaries:
- If
lib/jbigi.jarexists, old.soor.dllfiles are deleted - Ensures platform-specific libraries are freshly extracted
5. Certificate Management
Routers can receive new signer certificates through updates or news feed revocations.
- New
.crtfiles are copied to the certificate directory. - Revoked certificates are deleted before future verifications.
- Supports key rotation without requiring manual user intervention.
All updates are signed offline using air-gapped signing systems.
Private keys are never stored on build servers.
6. Developer Guidelines
| Topic | Details |
|---|---|
| Signing | Use RSA-4096 (SHA-512) via apps/jetty/news SU3 tooling. |
| Mirror Policy | I2P eepsite preferred, clearnet HTTPS fallback, torrent optional. |
| Testing | Validate updates from prior releases, across all OS platforms. |
| Version Enforcement | minVersion prevents incompatible upgrades. |
| Certificate Rotation | Distribute new certs in updates and revocation lists. |
Future releases will explore post-quantum signature integration (see Proposal 169) and reproducible builds.
7. Security Overview
| Threat | Mitigation |
|---|---|
| Tampering | Cryptographic signature (RSA-4096/SHA512) |
| Key Compromise | Feed-based certificate revocation |
| Downgrade Attack | Version comparison enforcement |
| Mirror Hijack | Signature verification, multiple mirrors |
| DoS | Fallback to alternate mirrors/torrents |
| MITM | HTTPS transport + signature-level integrity |
8. Versioning
- Router: 2.10.0 (API 0.9.67)
- Semantic versioning with
Major.Minor.Patch. - Minimum version enforcement prevents unsafe upgrades.
- Supported Java: Java 8–17. Future 2.11.0+ will require Java 17+.