Bump version

.fpm

@@ -0,0 +1,19 @@
+-s dir
+--name sing-box
+--category net
+--license GPLv3-or-later
+--description "The universal proxy platform."
+--url "https://sing-box.sagernet.org/"
+--maintainer "nekohasekai <contact-git@sekai.icu>"
+--deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
+
+release/config/config.json=/etc/sing-box/config.json
+
+release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
+release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
+
+release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
+release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
+release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
+
+LICENSE=/usr/share/licenses/sing-box/LICENSE

.github/workflows/build.yml

@@ -55,7 +55,7 @@ jobs:
       - name: Calculate version
         if: github.event_name != 'workflow_dispatch'
         run: |-
-          go run -v ./cmd/internal/read_tag --nightly
+          go run -v ./cmd/internal/read_tag --ci --nightly
       - name: Set outputs
         id: outputs
         run: |-
@@ -68,142 +68,174 @@ jobs:
       - calculate_version
     strategy:
       matrix:
+        os: [ linux, windows, darwin, android ]
+        arch: [ "386", amd64, arm64 ]
+        legacy_go: [ false ]
         include:
-          - name: linux_386
+          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64 }
-            goos: linux
+          - { os: linux, arch: "386", debian: i386, rpm: i386 }
-            goarch: 386
+          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
-          - name: linux_amd64
+          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl }
-            goos: linux
+          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64 }
-            goarch: amd64
+          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
-          - name: linux_arm64
+          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
-            goos: linux
+          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
-            goarch: arm64
+          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - name: linux_arm
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
-            goos: linux
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
-            goarch: arm
+
-            goarm: 6
+          - { os: windows, arch: "386", legacy_go: true }
-          - name: linux_arm_v7
+          - { os: windows, arch: amd64, legacy_go: true }
-            goos: linux
+          - { os: darwin, arch: amd64, legacy_go: true }
-            goarch: arm
+
-            goarm: 7
+          - { os: android, arch: "386", ndk: "i686-linux-android21" }
-          - name: linux_s390x
+          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
-            goos: linux
+          - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
-            goarch: s390x
+          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
-          - name: linux_riscv64
+        exclude:
-            goos: linux
+          - { os: darwin, arch: "386" }
-            goarch: riscv64
-          - name: linux_mips64le
-            goos: linux
-            goarch: mips64le
-          - name: windows_amd64
-            goos: windows
-            goarch: amd64
-            require_legacy_go: true
-          - name: windows_386
-            goos: windows
-            goarch: 386
-            require_legacy_go: true
-          - name: windows_arm64
-            goos: windows
-            goarch: arm64
-          - name: darwin_arm64
-            goos: darwin
-            goarch: arm64
-          - name: darwin_amd64
-            goos: darwin
-            goarch: amd64
-            require_legacy_go: true
-          - name: android_arm64
-            goos: android
-            goarch: arm64
-          - name: android_arm
-            goos: android
-            goarch: arm
-            goarm: 7
-          - name: android_amd64
-            goos: android
-            goarch: amd64
-          - name: android_386
-            goos: android
-            goarch: 386
     steps:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
+        if: matrix.legacy_go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.20
+      - name: Setup Go
+        if: ${{ ! matrix.legacy_go }}
         uses: actions/setup-go@v5
         with:
           go-version: ^1.24
-      - name: Cache legacy Go
-        if: matrix.require_legacy_go
-        id: cache-legacy-go
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/go1.20.14
-          key: go120
-      - name: Setup legacy Go
-        if: matrix.require_legacy_go && steps.cache-legacy-go.outputs.cache-hit != 'true'
-        run: |-
-          wget https://dl.google.com/go/go1.20.14.linux-amd64.tar.gz
-          tar -xzf go1.20.14.linux-amd64.tar.gz
-          mv go $HOME/go/go1.20.14
       - name: Setup Android NDK
-        if: matrix.goos == 'android'
+        if: matrix.os == 'android'
         uses: nttld/setup-ndk@v1
         with:
           ndk-version: r28
           local-cache: true
-      - name: Setup Goreleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          distribution: goreleaser-pro
-          version: nightly
-          install-only: true
-      - name: Extract signing key
-        run: |-
-          mkdir -p $HOME/.gnupg
-          cat > $HOME/.gnupg/sagernet.key <<EOF
-          ${{ secrets.GPG_KEY }}
-          EOF
-          echo "HOME=$HOME" >> "$GITHUB_ENV"
       - name: Set tag
         run: |-
           git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
           git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Set build tags
+        run: |
+          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api'
+          if [ ! '${{ matrix.legacy_go }}' = 'true' ]; then
+            TAGS="${TAGS},with_ech"
+          fi
+          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
       - name: Build
-        if: matrix.goos != 'android'
+        if: matrix.os != 'android'
-        run: |-
+        run: |
-          goreleaser release --clean --split
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
+          ./cmd/sing-box
         env:
-          GOOS: ${{ matrix.goos }}
+          CGO_ENABLED: "0"
-          GOARCH: ${{ matrix.goarch }}
+          GOOS: ${{ matrix.os }}
-          GOPATH: ${{ env.HOME }}/go
+          GOARCH: ${{ matrix.arch }}
           GOARM: ${{ matrix.goarm }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
-          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
       - name: Build Android
-        if: matrix.goos == 'android'
+        if: matrix.os == 'android'
-        run: |-
+        run: |
+          set -xeuo pipefail
           go install -v ./cmd/internal/build
-          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build goreleaser release --clean --split
+          export CC='${{ matrix.ndk }}-clang'
+          export CXX="${CC}++"
+          mkdir -p dist
+          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
+          ./cmd/sing-box
         env:
-          BUILD_GOOS: ${{ matrix.goos }}
+          CGO_ENABLED: "1"
-          BUILD_GOARCH: ${{ matrix.goarch }}
+          BUILD_GOOS: ${{ matrix.os }}
-          GOARM: ${{ matrix.goarm }}
+          BUILD_GOARCH: ${{ matrix.arch }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - name: Set name
-          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
+        run: |-
-          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          ARM_VERSION=$([ -n '${{ matrix.goarm}}' ] && echo 'v${{ matrix.goarm}}' || true)
+          LEGACY=$([ '${{ matrix.legacy_go }}' = 'true' ] && echo "-legacy" || true)
+          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-${{ matrix.os }}-${{ matrix.arch }}${ARM_VERSION}${LEGACY}"
+          PKG_NAME="sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.arch }}${ARM_VERSION}"
+          echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
+          echo "PKG_NAME=${PKG_NAME}" >> "${GITHUB_ENV}"
+          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
+          PKG_VERSION="${PKG_VERSION//-/\~}"
+          echo "PKG_VERSION=${PKG_VERSION}" >> "${GITHUB_ENV}"
+      - name: Package DEB
+        if: matrix.debian != ''
+        run: |
+          set -xeuo pipefail
+          sudo gem install fpm
+          sudo apt-get install -y debsigs
+          fpm -t deb \
+            -v "$PKG_VERSION" \
+            -p "dist/${PKG_NAME}.deb" \
+            --architecture ${{ matrix.debian }} \
+            dist/sing-box=/usr/bin/sing-box
+          curl -Lo '/tmp/debsigs.diff' 'https://gitlab.com/debsigs/debsigs/-/commit/160138f5de1ec110376d3c807b60a37388bc7c90.diff'
+          sudo patch /usr/bin/debsigs < '/tmp/debsigs.diff'
+          rm -rf $HOME/.gnupg
+          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
+          ${{ secrets.GPG_KEY }}
+          EOF
+          debsigs --sign=origin -k ${{ secrets.GPG_KEY_ID }} --gpgopts '--pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}"' dist/*.deb
+      - name: Package RPM
+        if: matrix.rpm != ''
+        run: |-
+          set -xeuo pipefail
+          sudo gem install fpm
+          fpm -t rpm \
+            -v "$PKG_VERSION" \
+            -p "dist/${PKG_NAME}.rpm" \
+            --architecture ${{ matrix.rpm }} \
+            dist/sing-box=/usr/bin/sing-box
+          cat > $HOME/.rpmmacros <<EOF
+          %_gpg_name ${{ secrets.GPG_KEY_ID }}
+          %_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase ${{ secrets.GPG_PASSPHRASE }}
+          EOF
+          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
+          ${{ secrets.GPG_KEY }}
+          EOF
+          rpmsign --addsign dist/*.rpm
+      - name: Package Pacman
+        if: matrix.pacman != ''
+        run: |-
+          set -xeuo pipefail
+          sudo gem install fpm
+          sudo apt-get install -y libarchive-tools
+          fpm -t pacman \
+            -v "$PKG_VERSION" \
+            -p "dist/${PKG_NAME}.pkg.tar.zst" \
+            --architecture ${{ matrix.pacman }} \
+            dist/sing-box=/usr/bin/sing-box
+      - name: Archive
+        run: |
+          set -xeuo pipefail
+          cd dist
+          mkdir -p "${DIR_NAME}"
+          cp ../LICENSE "${DIR_NAME}"
+          if [ '${{ matrix.os }}' = 'windows' ]; then
+            cp sing-box "${DIR_NAME}/sing-box.exe"
+            zip -r "${DIR_NAME}.zip" "${DIR_NAME}"
+          else
+            cp sing-box "${DIR_NAME}"
+            tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
+          fi
+          rm -r "${DIR_NAME}"
+      - name: Cleanup
+        run: rm dist/sing-box
       - name: Upload artifact
-        if: github.event_name == 'workflow_dispatch'
         uses: actions/upload-artifact@v4
         with:
-          name: binary-${{ matrix.name }}
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.legacy_go && '-legacy' || '' }}
-          path: 'dist'
+          path: "dist"
   build_android:
     name: Build Android
     if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
@@ -275,13 +307,11 @@ jobs:
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
           LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
       - name: Prepare upload
-        if: github.event_name == 'workflow_dispatch'
         run: |-
-          mkdir -p dist/release
+          mkdir -p dist
-          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
+          cp clients/android/app/build/outputs/apk/play/release/*.apk dist
-          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist/release
+          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist
       - name: Upload artifact
-        if: github.event_name == 'workflow_dispatch'
         uses: actions/upload-artifact@v4
         with:
           name: binary-android-apks
@@ -528,9 +558,9 @@ jobs:
           zip -r SFM.dSYMs.zip dSYMs
           popd
 
-          mkdir -p dist/release
+          mkdir -p dist
-          cp clients/apple/SFM.dmg "dist/release/SFM-${VERSION}-universal.dmg"
+          cp clients/apple/SFM.dmg "dist/SFM-${VERSION}-universal.dmg"
-          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/release/SFM-${VERSION}-universal.dSYMs.zip"
+          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/SFM-${VERSION}-universal.dSYMs.zip"
       - name: Upload image
         if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
         uses: actions/upload-artifact@v4
@@ -551,12 +581,6 @@ jobs:
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
-      - name: Setup Goreleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          distribution: goreleaser-pro
-          version: 2.5.1
-          install-only: true
       - name: Cache ghr
         uses: actions/cache@v4
         id: cache-ghr
@@ -581,26 +605,17 @@ jobs:
         with:
           path: dist
           merge-multiple: true
-      - name: Merge builds
-        if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
-        run: |-
-          goreleaser continue --merge --skip publish
-          mkdir -p dist/release
-          mv dist/*/sing-box*{tar.gz,zip,deb,rpm,_amd64.pkg.tar.zst,_arm64.pkg.tar.zst} dist/release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
       - name: Upload builds
         if: ${{ env.PUBLISHED == 'false' }}
         run: |-
           export PATH="$PATH:$HOME/go/bin"
-          ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
+          ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Replace builds
         if: ${{ env.PUBLISHED != 'false' }}
         run: |-
           export PATH="$PATH:$HOME/go/bin"
-          ghr --replace -p 5 "v${VERSION}" dist/release
+          ghr --replace -p 5 "v${VERSION}" dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/lint.yml

@@ -35,3 +35,4 @@ jobs:
           version: latest
           args: --timeout=30m
           install-mode: binary
+          verify: false

.github/workflows/linux.yml

@@ -1,13 +1,22 @@
-name: Release to Linux repository
+name: Build Linux Packages
 
 on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version name"
+        required: true
+        type: string
   release:
     types:
       - published
 
 jobs:
-  build:
+  calculate_version:
+    name: Calculate version
     runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
@@ -17,22 +26,160 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ^1.24
-      - name: Extract signing key
+      - name: Check input version
+        if: github.event_name == 'workflow_dispatch'
         run: |-
-          mkdir -p $HOME/.gnupg
+          echo "version=${{ inputs.version }}"
-          cat > $HOME/.gnupg/sagernet.key <<EOF
+          echo "version=${{ inputs.version }}" >> "$GITHUB_ENV"
+      - name: Calculate version
+        if: github.event_name != 'workflow_dispatch'
+        run: |-
+          go run -v ./cmd/internal/read_tag --ci --nightly
+      - name: Set outputs
+        id: outputs
+        run: |-
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+  build:
+    name: Build binary
+    runs-on: ubuntu-latest
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64 }
+          - { os: linux, arch: "386", debian: i386, rpm: i386 }
+          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
+          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl }
+          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64 }
+          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
+          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
+          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.24
+      - name: Setup Android NDK
+        if: matrix.os == 'android'
+        uses: nttld/setup-ndk@v1
+        with:
+          ndk-version: r28
+          local-cache: true
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Set build tags
+        run: |
+          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api'
+          if [ ! '${{ matrix.legacy_go }}' = 'true' ]; then
+            TAGS="${TAGS},with_ech"
+          fi
+          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Build
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "0"
+          GOOS: ${{ matrix.os }}
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set mtime
+        run: |-
+          TZ=UTC touch -t '197001010000' dist/sing-box
+      - name: Set name
+        if: ${{ ! contains(needs.calculate_version.outputs.version, '-') }}
+        run: |-
+          echo "NAME=sing-box" >> "$GITHUB_ENV"
+      - name: Set beta name
+        if: contains(needs.calculate_version.outputs.version, '-')
+        run: |-
+          echo "NAME=sing-box-beta" >> "$GITHUB_ENV"
+      - name: Set version
+        run: |-
+          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
+          PKG_VERSION="${PKG_VERSION//-/\~}"
+          echo "PKG_VERSION=${PKG_VERSION}" >> "${GITHUB_ENV}"
+      - name: Package DEB
+        if: matrix.debian != ''
+        run: |
+          set -xeuo pipefail
+          sudo gem install fpm
+          sudo apt-get install -y debsigs
+          fpm -t deb \
+            --name "${NAME}" \
+            -v "$PKG_VERSION" \
+            -p "dist/${NAME}_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.debian }}.deb" \
+            --architecture ${{ matrix.debian }} \
+            dist/sing-box=/usr/bin/sing-box
+          curl -Lo '/tmp/debsigs.diff' 'https://gitlab.com/debsigs/debsigs/-/commit/160138f5de1ec110376d3c807b60a37388bc7c90.diff'
+          sudo patch /usr/bin/debsigs < '/tmp/debsigs.diff'
+          rm -rf $HOME/.gnupg
+          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
           ${{ secrets.GPG_KEY }}
           EOF
-          echo "HOME=$HOME" >> "$GITHUB_ENV"
+          debsigs --sign=origin -k ${{ secrets.GPG_KEY_ID }} --gpgopts '--pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}"' dist/*.deb
-      - name: Publish release
+      - name: Package RPM
-        uses: goreleaser/goreleaser-action@v6
+        if: matrix.rpm != ''
+        run: |-
+          set -xeuo pipefail
+          sudo gem install fpm
+          fpm -t rpm \
+            --name "${NAME}" \
+            -v "$PKG_VERSION" \
+            -p "dist/${NAME}_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.rpm }}.rpm" \
+            --architecture ${{ matrix.rpm }} \
+            dist/sing-box=/usr/bin/sing-box
+          cat > $HOME/.rpmmacros <<EOF
+          %_gpg_name ${{ secrets.GPG_KEY_ID }}
+          %_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase ${{ secrets.GPG_PASSPHRASE }}
+          EOF
+          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
+          ${{ secrets.GPG_KEY }}
+          EOF
+          rpmsign --addsign dist/*.rpm
+      - name: Cleanup
+        run: rm dist/sing-box
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
         with:
-          distribution: goreleaser-pro
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.legacy_go && '-legacy' || '' }}
-          version: latest
+          path: "dist"
-          args: release -f .goreleaser.fury.yaml --clean
+  upload:
-        env:
+    name: Upload builds
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    runs-on: ubuntu-latest
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+    needs:
-          FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
+      - calculate_version
-          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
+      - build
-          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
+      - name: Download builds
+        uses: actions/download-artifact@v4
+        with:
+          path: dist
+          merge-multiple: true
+      - name: Publish packages
+        run: |-
+          ls dist | xargs -I {} curl -F "package=@dist/{}" https://${{ secrets.FURY_TOKEN }}@push.fury.io/sagernet/

adapter/inbound.go

@@ -57,6 +57,7 @@ type InboundContext struct {
 	Domain           string
 	Client           string
 	SniffContext     any
+	PacketSniffError error
 
 	// cache
 

clients/android

@@ -1 +1 @@
-Subproject commit aefe3c029096ddac5189a20a8203a68858152f0a
+Subproject commit 5659088bb3fe18b7095e4b9f868c181e27739617

cmd/internal/read_tag/main.go

@@ -5,40 +5,52 @@ import (
 	"os"
 
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/common/badversion"
 	"github.com/sagernet/sing-box/log"
 )
 
-var nightly bool
+var (
+	flagRunInCI    bool
+	flagRunNightly bool
+)
 
 func init() {
-	flag.BoolVar(&nightly, "nightly", false, "Print nightly tag")
+	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
+	flag.BoolVar(&flagRunNightly, "nightly", false, "Run nightly")
 }
 
 func main() {
 	flag.Parse()
-	if nightly {
+	var (
-		version, err := build_shared.ReadTagVersionRev()
+		versionStr string
+		err        error
+	)
+	if flagRunNightly {
+		var version badversion.Version
+		version, err = build_shared.ReadTagVersionRev()
+		if err == nil {
+			if version.PreReleaseIdentifier == "" {
+				version.Patch++
+			}
+			versionStr = version.String()
+		}
+	} else {
+		versionStr, err = build_shared.ReadTag()
+	}
+	if flagRunInCI {
 		if err != nil {
 			log.Fatal(err)
 		}
-		var versionStr string
-		if version.PreReleaseIdentifier != "" {
-			versionStr = version.VersionString() + "-nightly"
-		} else {
-			version.Patch++
-			versionStr = version.VersionString() + "-nightly"
-		}
 		err = setGitHubEnv("version", versionStr)
 		if err != nil {
 			log.Fatal(err)
 		}
 	} else {
-		tag, err := build_shared.ReadTag()
 		if err != nil {
 			log.Error(err)
 			os.Stdout.WriteString("unknown\n")
 		} else {
-			os.Stdout.WriteString(tag + "\n")
+			os.Stdout.WriteString(versionStr + "\n")
 		}
 	}
 }

common/sniff/sniff.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@@ -34,7 +35,7 @@ func Skip(metadata *adapter.InboundContext) bool {
 	return false
 }
 
-func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
+func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffers []*buf.Buffer, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
@@ -55,7 +56,10 @@ func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.
 		}
 		errors = nil
 		for _, sniffer := range sniffers {
-			err = sniffer(ctx, metadata, bytes.NewReader(buffer.Bytes()))
+			reader := io.MultiReader(common.Map(append(buffers, buffer), func(it *buf.Buffer) io.Reader {
+				return bytes.NewReader(it.Bytes())
+			})...)
+			err = sniffer(ctx, metadata, reader)
 			if err == nil {
 				return nil
 			}

docs/changelog.md

@@ -2,6 +2,12 @@
 icon: material/alert-decagram
 ---
 
+### 1.11.6
+
+* Fixes and improvements
+
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
+
 ### 1.11.5
 
 * Fixes and improvements

go.mod

@@ -26,7 +26,7 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20241123041152-536d05261cff
 	github.com/sagernet/quic-go v0.49.0-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.6.3
+	github.com/sagernet/sing v0.6.5
 	github.com/sagernet/sing-dns v0.4.0
 	github.com/sagernet/sing-mux v0.3.1
 	github.com/sagernet/sing-quic v0.4.0

go.sum

@@ -119,8 +119,8 @@ github.com/sagernet/quic-go v0.49.0-beta.1/go.mod h1:uesWD1Ihrldq1M3XtjuEvIUqi8W
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.3 h1:J1spMc6LMlqUvRjWjvNMAcbvACDneqxB9zxfLuS0UTE=
+github.com/sagernet/sing v0.6.5 h1:TBKTK6Ms0/MNTZm+cTC2hhKunE42XrNIdsxcYtWqeUU=
-github.com/sagernet/sing v0.6.3/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.5/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-dns v0.4.0 h1:+mNoOuR3nljjouCH+qMg4zHI1+R9T2ReblGFkZPEndc=
 github.com/sagernet/sing-dns v0.4.0/go.mod h1:dweQs54ng2YGzoJfz+F9dGuDNdP5pJ3PLeggnK5VWc8=
 github.com/sagernet/sing-mux v0.3.1 h1:kvCc8HyGAskDHDQ0yQvoTi/7J4cZPB/VJMsAM3MmdQI=

log/id.go

@@ -20,12 +20,16 @@ type ID struct {
 }
 
 func ContextWithNewID(ctx context.Context) context.Context {
-	return context.WithValue(ctx, (*idKey)(nil), ID{
+	return ContextWithID(ctx, ID{
 		ID:        rand.Uint32(),
 		CreatedAt: time.Now(),
 	})
 }
 
+func ContextWithID(ctx context.Context, id ID) context.Context {
+	return context.WithValue(ctx, (*idKey)(nil), id)
+}
+
 func IDFromContext(ctx context.Context) (ID, bool) {
 	id, loaded := ctx.Value((*idKey)(nil)).(ID)
 	return id, loaded

route/conn.go

@@ -2,9 +2,11 @@ package route
 
 import (
 	"context"
+	"errors"
 	"io"
 	"net"
 	"net/netip"
+	"os"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -13,6 +15,7 @@ import (
 	"github.com/sagernet/sing-box/common/dialer"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	"github.com/sagernet/sing/common/canceler"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -190,14 +193,16 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 	go m.packetConnectionCopy(ctx, destination, conn, true, &done, onClose)
 }
 
-func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader, destination io.Writer, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) {
+func (m *ConnectionManager) connectionCopy(ctx context.Context, source net.Conn, destination net.Conn, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) {
-	originSource := source
+	var (
-	originDestination := destination
+		sourceReader      io.Reader = source
+		destinationWriter io.Writer = destination
+	)
 	var readCounters, writeCounters []N.CountFunc
 	for {
-		source, readCounters = N.UnwrapCountReader(source, readCounters)
+		sourceReader, readCounters = N.UnwrapCountReader(sourceReader, readCounters)
-		destination, writeCounters = N.UnwrapCountWriter(destination, writeCounters)
+		destinationWriter, writeCounters = N.UnwrapCountWriter(destinationWriter, writeCounters)
-		if cachedSrc, isCached := source.(N.CachedReader); isCached {
+		if cachedSrc, isCached := sourceReader.(N.CachedReader); isCached {
 			cachedBuffer := cachedSrc.ReadCached()
 			if cachedBuffer != nil {
 				dataLen := cachedBuffer.Len()
@@ -207,7 +212,7 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader
 					if done.Swap(true) {
 						onClose(err)
 					}
-					common.Close(originSource, originDestination)
+					common.Close(source, destination)
 					if !direction {
 						m.logger.ErrorContext(ctx, "connection upload payload: ", err)
 					} else {
@@ -226,9 +231,13 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader
 		}
 		break
 	}
-	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](destination); isEarlyConn && earlyConn.NeedHandshake() {
+	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](destinationWriter); isEarlyConn && earlyConn.NeedHandshake() {
-		_, err := destination.Write(nil)
+		err := m.connectionCopyEarly(source, destination)
 		if err != nil {
+			if done.Swap(true) {
+				onClose(err)
+			}
+			common.Close(source, destination)
 			if !direction {
 				m.logger.ErrorContext(ctx, "connection upload handshake: ", err)
 			} else {
@@ -237,20 +246,20 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader
 			return
 		}
 	}
-	_, err := bufio.CopyWithCounters(destination, source, originSource, readCounters, writeCounters)
+	_, err := bufio.CopyWithCounters(destination, sourceReader, source, readCounters, writeCounters)
 	if err != nil {
-		common.Close(originDestination)
+		common.Close(source, destination)
 	} else if duplexDst, isDuplex := destination.(N.WriteCloser); isDuplex {
 		err = duplexDst.CloseWrite()
 		if err != nil {
-			common.Close(originSource, originDestination)
+			common.Close(source, destination)
 		}
 	} else {
-		common.Close(originDestination)
+		destination.Close()
 	}
 	if done.Swap(true) {
 		onClose(err)
-		common.Close(originSource, originDestination)
+		common.Close(source, destination)
 	}
 	if !direction {
 		if err == nil {
@@ -271,6 +280,28 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader
 	}
 }
 
+func (m *ConnectionManager) connectionCopyEarly(source net.Conn, destination io.Writer) error {
+	payload := buf.NewPacket()
+	defer payload.Release()
+	err := source.SetReadDeadline(time.Now().Add(C.ReadPayloadTimeout))
+	if err != nil {
+		if err == os.ErrInvalid {
+			return common.Error(destination.Write(nil))
+		}
+		return err
+	}
+	_, err = payload.ReadOnceFrom(source)
+	if err != nil && !(E.IsTimeout(err) || errors.Is(err, io.EOF)) {
+		return E.Cause(err, "read payload")
+	}
+	_ = source.SetReadDeadline(time.Time{})
+	_, err = destination.Write(payload.Bytes())
+	if err != nil {
+		return E.Cause(err, "write payload")
+	}
+	return nil
+}
+
 func (m *ConnectionManager) packetConnectionCopy(ctx context.Context, source N.PacketReader, destination N.PacketWriter, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) {
 	_, err := bufio.CopyPacket(destination, source)
 	if !direction {

route/route.go

@@ -358,7 +358,7 @@ func (r *Router) matchRule(
 			newBuffer, newPackerBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{
 				OverrideDestination: metadata.InboundOptions.SniffOverrideDestination,
 				Timeout:             time.Duration(metadata.InboundOptions.SniffTimeout),
-			}, inputConn, inputPacketConn)
+			}, inputConn, inputPacketConn, nil)
 			if newErr != nil {
 				fatalErr = newErr
 				return
@@ -458,7 +458,7 @@ match:
 		switch action := currentRule.Action().(type) {
 		case *rule.RuleActionSniff:
 			if !preMatch {
-				newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, action, inputConn, inputPacketConn)
+				newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, action, inputConn, inputPacketConn, buffers)
 				if newErr != nil {
 					fatalErr = newErr
 					return
@@ -489,28 +489,21 @@ match:
 			break match
 		}
 	}
-	if !preMatch && inputPacketConn != nil && (metadata.InboundType == C.TypeSOCKS || metadata.InboundType == C.TypeMixed) && !metadata.Destination.IsFqdn() && !metadata.Destination.Addr.IsGlobalUnicast() {
-		newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{Timeout: C.TCPTimeout}, inputConn, inputPacketConn)
-		if newErr != nil {
-			fatalErr = newErr
-			return
-		}
-		if newBuffer != nil {
-			buffers = append(buffers, newBuffer)
-		} else if len(newPacketBuffers) > 0 {
-			packetBuffers = append(packetBuffers, newPacketBuffers...)
-		}
-	}
 	return
 }
 
 func (r *Router) actionSniff(
 	ctx context.Context, metadata *adapter.InboundContext, action *rule.RuleActionSniff,
-	inputConn net.Conn, inputPacketConn N.PacketConn,
+	inputConn net.Conn, inputPacketConn N.PacketConn, inputBuffers []*buf.Buffer,
 ) (buffer *buf.Buffer, packetBuffers []*N.PacketBuffer, fatalErr error) {
 	if sniff.Skip(metadata) {
+		r.logger.DebugContext(ctx, "sniff skipped due to port considered as server-first")
 		return
-	} else if inputConn != nil {
+	} else if metadata.Protocol != "" {
+		r.logger.DebugContext(ctx, "duplicate sniff skipped")
+		return
+	}
+	if inputConn != nil {
 		sniffBuffer := buf.NewPacket()
 		var streamSniffers []sniff.StreamSniffer
 		if len(action.StreamSniffers) > 0 {
@@ -529,6 +522,7 @@ func (r *Router) actionSniff(
 			ctx,
 			metadata,
 			inputConn,
+			inputBuffers,
 			sniffBuffer,
 			action.Timeout,
 			streamSniffers...,
@@ -555,6 +549,10 @@ func (r *Router) actionSniff(
 			sniffBuffer.Release()
 		}
 	} else if inputPacketConn != nil {
+		if metadata.PacketSniffError != nil && !errors.Is(metadata.PacketSniffError, sniff.ErrClientHelloFragmented) {
+			r.logger.DebugContext(ctx, "packet sniff skipped due to previous error: ", metadata.PacketSniffError)
+			return
+		}
 		for {
 			var (
 				sniffBuffer = buf.NewPacket()
@@ -586,10 +584,7 @@ func (r *Router) actionSniff(
 					return
 				}
 			} else {
-				if (metadata.InboundType == C.TypeSOCKS || metadata.InboundType == C.TypeMixed) && !metadata.Destination.IsFqdn() && !metadata.Destination.Addr.IsGlobalUnicast() && !metadata.RouteOriginalDestination.IsValid() {
+				if len(packetBuffers) > 0 || metadata.PacketSniffError != nil {
-					metadata.Destination = destination
-				}
-				if len(packetBuffers) > 0 {
 					err = sniff.PeekPacket(
 						ctx,
 						metadata,
@@ -622,7 +617,8 @@ func (r *Router) actionSniff(
 					Destination: destination,
 				}
 				packetBuffers = append(packetBuffers, packetBuffer)
-				if E.IsMulti(err, sniff.ErrClientHelloFragmented) {
+				metadata.PacketSniffError = err
+				if errors.Is(err, sniff.ErrClientHelloFragmented) {
 					r.logger.DebugContext(ctx, "attempt to sniff fragmented QUIC client hello")
 					continue
 				}

transport/v2rayhttp/conn.go

@@ -2,6 +2,7 @@ package v2rayhttp
 
 import (
 	std_bufio "bufio"
+	"context"
 	"io"
 	"net"
 	"net/http"
@@ -10,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/baderror"
 	"github.com/sagernet/sing/common/buf"
@@ -255,3 +257,11 @@ func (w *HTTP2ConnWrapper) Close() error {
 func (w *HTTP2ConnWrapper) Upstream() any {
 	return w.ExtendedConn
 }
+
+func DupContext(ctx context.Context) context.Context {
+	id, loaded := log.IDFromContext(ctx)
+	if !loaded {
+		return context.Background()
+	}
+	return log.ContextWithID(context.Background(), id)
+}

transport/v2rayhttp/server.go

@@ -132,7 +132,7 @@ func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 		if requestBody != nil {
 			conn = bufio.NewCachedConn(conn, requestBody)
 		}
-		s.handler.NewConnectionEx(request.Context(), conn, source, M.Socksaddr{}, nil)
+		s.handler.NewConnectionEx(DupContext(request.Context()), conn, source, M.Socksaddr{}, nil)
 	} else {
 		writer.WriteHeader(http.StatusOK)
 		done := make(chan struct{})

transport/v2rayhttpupgrade/server.go

@@ -12,6 +12,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/v2rayhttp"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
@@ -37,6 +38,7 @@ type Server struct {
 func NewServer(ctx context.Context, logger logger.ContextLogger, options option.V2RayHTTPUpgradeOptions, tlsConfig tls.ServerConfig, handler adapter.V2RayServerTransportHandler) (*Server, error) {
 	server := &Server{
 		ctx:       ctx,
+		logger:    logger,
 		tlsConfig: tlsConfig,
 		handler:   handler,
 		host:      options.Host,
@@ -110,7 +112,7 @@ func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 		s.invalidRequest(writer, request, http.StatusInternalServerError, E.Cause(err, "hijack failed"))
 		return
 	}
-	s.handler.NewConnectionEx(request.Context(), conn, sHttp.SourceAddress(request), M.Socksaddr{}, nil)
+	s.handler.NewConnectionEx(v2rayhttp.DupContext(request.Context()), conn, sHttp.SourceAddress(request), M.Socksaddr{}, nil)
 }
 
 func (s *Server) invalidRequest(writer http.ResponseWriter, request *http.Request, statusCode int, err error) {

transport/v2raywebsocket/conn.go

@@ -74,6 +74,10 @@ func (c *WebsocketConn) Read(b []byte) (n int, err error) {
 			return
 		}
 		if header.OpCode.IsControl() {
+			if header.Length > 128 {
+				err = wsutil.ErrFrameTooLarge
+				return
+			}
 			err = c.controlHandler(header, c.reader)
 			if err != nil {
 				return

transport/v2raywebsocket/server.go

@@ -13,6 +13,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/v2rayhttp"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
@@ -114,7 +115,7 @@ func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 	if len(earlyData) > 0 {
 		conn = bufio.NewCachedConn(conn, buf.As(earlyData))
 	}
-	s.handler.NewConnectionEx(request.Context(), conn, source, M.Socksaddr{}, nil)
+	s.handler.NewConnectionEx(v2rayhttp.DupContext(request.Context()), conn, source, M.Socksaddr{}, nil)
 }
 
 func (s *Server) invalidRequest(writer http.ResponseWriter, request *http.Request, statusCode int, err error) {