Merge pull request #40 from erickt/remove-root

trishankatdatadog · web-flow · commit 0cddec0a60f9 · 2019-10-17T15:08:53.000-04:00
Remove root, add delegation hashes to the snapshot metadata
diff --git a/tuf-spec.md b/tuf-spec.md
@@ -711,9 +711,9 @@ repo](https://github.com/theupdateframework/specification/issues).
 * **4.4. File formats: snapshot.json**
 
    The snapshot.json file is signed by the snapshot role.  It lists the version
-   numbers of all metadata on the repository, excluding timestamp.json and
-   mirrors.json.  For the root role, the hash(es), size, and version number
-   are listed.
+   numbers of only the top-level targets and all delegated targets role metadata.
+   The metadata length and hashes are OPTIONAL for the top-level targets and
+   all delegated targets roles.
 
    The "signed" portion of snapshot.json is as follows:
 
@@ -727,43 +727,58 @@ repo](https://github.com/theupdateframework/specification/issues).
    METAFILES is an object whose format is the following:
 
        { METAPATH : {
-             "version" : VERSION }
+             "version" : VERSION,
+             ("length" : LENGTH, |
+              "hashes" : HASHES) }
          , ...
        }
 
    METAPATH is the metadata file's path on the repository relative to the
    metadata base URL.
 
-   VERSION is listed for the root file
-   and all other roles available on the repository.
+   VERSION is listed for the top-level targets and all delegated targets roles
+   available on the repository.
+
+   LENGTH is the integer length in bytes of the metadata file. It is
+   OPTIONAL for all roles.
+
+   HASHES is the dictionary that specifies one or more hashes, including
+   the cryptographic hash function.  For example: { "sha256": HASH, ... }. It is
+   OPTIONAL for all roles.
 
    A snapshot.json example file:
 
-       {
-       "signatures": [
-        {
-         "keyid": "66676daa73bdfb4804b56070c8927ae491e2a6c2314f05b854dea94de8ff6bfc",
-         "sig": "f7f03b13e3f4a78a23561419fc0dd741a637e49ee671251be9f8f3fceedfc112e4
-                 4ee3aaff2278fad9164ab039118d4dc53f22f94900dae9a147aa4d35dcfc0f"
-        }
-       ],
-       "signed": {
-        "_type": "snapshot",
-        "spec_version": "1.0.0",
-        "expires": "2030-01-01T00:00:00Z",
-        "meta": {
-         "root.json": {
-          "version": 1
-         },
-         "targets.json": {
-          "version": 1
-         },
-         "project.json": {
-          "version": 1
-          },
+       { "signatures": [
+         {
+          "keyid": "66676daa73bdfb4804b56070c8927ae491e2a6c2314f05b854dea94de8ff6bfc",
+          "sig": "f7f03b13e3f4a78a23561419fc0dd741a637e49ee671251be9f8f3fceedfc112e4
+                  4ee3aaff2278fad9164ab039118d4dc53f22f94900dae9a147aa4d35dcfc0f"
          }
-        "version": 1
-        },
+        ],
+        "signed": {
+         "_type": "snapshot",
+         "spec_version": "1.0.0",
+         "expires": "2030-01-01T00:00:00Z",
+         "meta": {
+          "targets.json": {
+           "version": 1
+          },
+          "project1.json": {
+           "version": 1,
+           "hashes": {
+            "sha256": "f592d072e1193688a686267e8e10d7257b4ebfcf28133350dae88362d82a0c8a"
+           }
+          },
+          "project2.json": {
+           "version": 1,
+           "length": 604,
+           "hashes": {
+            "sha256": "1f812e378264c3085bb69ec5f6663ed21e5882bbece3c3f8a0e8479f205ffb91"
+           }
+          }
+         },
+         "version": 1
+        }
        }
 
 * **4.5. File formats: targets.json and delegated target roles**
