Add missing documentation of pull request 237

Marc-André Aßbrock · Marc-André Aßbrock · commit 7324c4ee74fb · 2021-04-16T14:24:15.000+02:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -12,6 +12,7 @@
 * The download-speed label now shows a 3 second average.
 * `hasher` will no longer blindly overwrite an existing bundleinfo.json but instead error out.
 * `hasher` will now exit with an error when the `pathToHash` has no files to hash.
+* `timestamps.json` is ignored, if it is corrupt.
 ### Features
 * trivrost will log the progress of downloads if the connection was interrupted for any reason.
 ### Fixes
diff --git a/docs/security.md b/docs/security.md
@@ -19,6 +19,8 @@ To set the timestamp automatically, the shell script [insert_timestamp](../scrip
 
 Please note that you have to set the timestamp in the deployment-config before signing the deployment-config. For the bundle info files, the hasher will automatically set the timestamp in UTC.
 
+If the file `timestamps.json` is corrupt, trivrost will mention it in the log file and behave as if the file does not exist.
+
 # Signing
 To sign the deployment-config and bundle info files we use `RSA` with the padding algorithm `PSS`. We use `sha256` as the hashing algorithm for signing. The signatures of the deployment-config have to be stored `base64` encoded. The signatures are saved in separate files with the same url as the original files, but with a `.signature` extension. So the signature for the bundle info file `https://example.com/linux/launcher/bundleinfo.json` has the url `https://example.com/linux/launcher/bundleinfo.json.signature.`
 
