Fix `get_latest_versions_file`

`latest.json` is not published under api.mullvad.net.

2 files changed, 22 insertions, 16 deletions

diff --git a/mullvad-update/src/client/api.rs b/mullvad-update/src/client/api.rs
index 6f4f7bc51b..dbfd7dc45a 100644
--- a/mullvad-update/src/client/api.rs
+++ b/mullvad-update/src/client/api.rs
@@ -8,7 +8,7 @@ use tokio::fs;
 #[cfg(test)]
 use vec1::Vec1;
 
-use crate::defaults::META_REPOSITORY_URL;
+use crate::defaults;
 use crate::format;
 use crate::version::{VersionInfo, VersionParameters};
 
@@ -40,11 +40,7 @@ impl MetaRepositoryPlatform {
 
     /// Return complete URL used for the metadata
     pub fn url(&self) -> String {
-        format!(
-            "{}/{}",
-            crate::defaults::META_REPOSITORY_URL,
-            self.filename()
-        )
+        format!("{}/{}", defaults::RELEASES_URL, self.filename())
     }
 
     fn filename(&self) -> &str {
@@ -87,7 +83,7 @@ impl From<MetaRepositoryPlatform> for HttpVersionInfoProvider {
         HttpVersionInfoProvider {
             url: platform.url(),
             resolve: Some((API_HOST_DEFAULT, API_IP_DEFAULT)),
-            pinned_certificate: Some(crate::defaults::PINNED_CERTIFICATE.clone()),
+            pinned_certificate: Some(defaults::PINNED_CERTIFICATE.clone()),
             dump_to_path: None,
         }
     }
@@ -158,15 +154,17 @@ impl HttpVersionInfoProvider {
 
     /// Retrieve the `latest.json` file.
     ///
-    /// By default, `pinned_certificate` will be set to the LE root certificate. The contents are
-    /// unsigned.
-    pub async fn get_latest_versions_file() -> anyhow::Result<Vec<u8>> {
+    /// - `pinned_certificate` will be set to the LE root certificate.
+    /// - DNS will be used to look up the URL.
+    /// - The JSON response is not signed.
+    pub async fn get_latest_versions_file() -> anyhow::Result<String> {
         Self::get(
-            &format!("{META_REPOSITORY_URL}/latest.json"),
-            Some(crate::defaults::PINNED_CERTIFICATE.clone()),
-            Some((API_HOST_DEFAULT, API_IP_DEFAULT)),
+            &format!("{}/latest.json", defaults::METADATA_URL),
+            Some(defaults::PINNED_CERTIFICATE.clone()),
+            None,
         )
         .await
+        .and_then(|raw_json: Vec<u8>| Ok(String::from_utf8(raw_json)?))
         .context("Failed to get latest.json file")
     }
 
diff --git a/mullvad-update/src/defaults.rs b/mullvad-update/src/defaults.rs
index 7d6ba5f172..bc563a1b04 100644
--- a/mullvad-update/src/defaults.rs
+++ b/mullvad-update/src/defaults.rs
@@ -4,11 +4,19 @@ use crate::format::key::VerifyingKey;
 use std::sync::LazyLock;
 use vec1::Vec1;
 
-/// Default repository URL for version metadata
+/// Default URL for the `releases`-API.
+///
+/// Note that this is just a proxy to _some_ of the files in [METADATA_URL].
 #[cfg(feature = "client")]
-pub const META_REPOSITORY_URL: &str = "https://api.mullvad.net/app/releases/";
+pub const RELEASES_URL: &str = "https://api.mullvad.net/app/releases/";
 
-/// Default TLS certificate to pin to
+/// Default URL for version metadata repository.
+#[cfg(feature = "client")]
+pub const METADATA_URL: &str = "https://releases.mullvad.net/desktop/metadata/";
+
+/// Default TLS certificate to pin to.
+///
+/// This is the Let's Encrypt root-certificate.
 #[cfg(feature = "client")]
 pub static PINNED_CERTIFICATE: LazyLock<reqwest::Certificate> = LazyLock::new(|| {
     const CERT_BYTES: &[u8] = include_bytes!("../../mullvad-api/le_root_cert.pem");