@@ -996,9 +996,10 @@ repo](https://github.com/theupdateframework/specification/issues).
996996
997997### ** The client application**
998998
999- Note: If a step in the following workflow does not succeed (e.g., a failure
1000- is reported because a new metadata file was not signed), the client should
1001- not be left in an unrecoverable state.
999+ Note: If a step in the following workflow does not succeed (e.g., the update
1000+ is aborted because a new metadata file was not signed), the client should
1001+ still be able to update again in the future. Errors raised during the update
1002+ process should not leave clients in an unrecoverable state.
10021003
10031004 ** 0** . ** Load the trusted root metadata file.** We assume that a good, trusted
10041005 copy of this file was shipped with the package manager or software updater
@@ -1025,17 +1026,18 @@ repo](https://github.com/theupdateframework/specification/issues).
10251026 been signed by: (1) a threshold of keys specified in the trusted root
10261027 metadata file (version N), and (2) a threshold of keys specified in the new
10271028 root metadata file being validated (version N+1). If version N+1 is not
1028- signed as required, discard it and report the signature failure. On the
1029- next update cycle, begin at step 0 and version N of the root metadata
1030- file.
1029+ signed as required, discard it, abort the update cycle, and report the
1030+ signature failure. On the next update cycle, begin at step 0 and version N
1031+ of the root metadata file.
10311032
10321033 * ** 1.4. Check for a rollback attack.** The version number of the trusted
10331034 root metadata file (version N) must be less than or equal to the version
10341035 number of the new root metadata file (version N+1). Effectively, this means
10351036 checking that the version number signed in the new root metadata file is
1036- indeed N+1. If the new root metadata file is less than the trusted metadat
1037- file, discard it and report the rollback attack. On the next update cycle,
1038- begin at step 0 and version N of the root metadata file.
1037+ indeed N+1. If the new root metadata file is less than the trusted metadata
1038+ file, discard it, abort the update cycle, and report the rollback attack. On
1039+ the next update cycle, begin at step 0 and version N of the root metadata
1040+ file.
10391041
10401042 * ** 1.5** . Note that the expiration of the new (intermediate) root metadata
10411043 file does not matter yet, because we will check for it in step 1.8.
@@ -1047,9 +1049,9 @@ repo](https://github.com/theupdateframework/specification/issues).
10471049
10481050 * ** 1.8** . ** Check for a freeze attack.** The latest known time should be
10491051 lower than the expiration timestamp in the trusted root metadata file
1050- (version N). If the trusted root metadata file has expired, report the
1051- potential freeze attack. On the next update cycle, begin at step 0 and
1052- version N of the root metadata file.
1052+ (version N). If the trusted root metadata file has expired, abort the update
1053+ cycle, report the potential freeze attack. On the next update cycle, begin
1054+ at step 0 and version N of the root metadata file.
10531055
10541056 * ** 1.9** . ** If the timestamp and / or snapshot keys have been rotated, then
10551057 delete the trusted timestamp and snapshot metadata files.** This is done in
@@ -1069,20 +1071,20 @@ used to download the timestamp metadata file is of the fixed form FILENAME.EXT
10691071
10701072 * ** 2.1** . ** Check signatures.** The new timestamp metadata file must have
10711073 been signed by a threshold of keys specified in the trusted root metadata
1072- file. If the new timestamp metadata file is not properly signed, discard it
1073- and report the signature failure.
1074+ file. If the new timestamp metadata file is not properly signed, discard it,
1075+ abort the update cycle, and report the signature failure.
10741076
10751077 * ** 2.2** . ** Check for a rollback attack.** The version number of the trusted
10761078 timestamp metadata file, if any, must be less than or equal to the version
10771079 number of the new timestamp metadata file. If the new timestamp metadata
1078- file is older than the trusted timestamp metadata file, discard it and report
1079- the potential rollback attack.
1080+ file is older than the trusted timestamp metadata file, discard it, abort the
1081+ update cycle, and report the potential rollback attack.
10801082
10811083 * ** 2.3** . ** Check for a freeze attack.** The latest known time should be
10821084 lower than the expiration timestamp in the new timestamp metadata file. If
10831085 so, the new timestamp metadata file becomes the trusted timestamp metadata
1084- file. If the new timestamp metadata file has expired, discard it and report
1085- the potential freeze attack.
1086+ file. If the new timestamp metadata file has expired, discard it, abort the
1087+ update cycle, and report the potential freeze attack.
10861088
10871089** 3** . ** Download snapshot metadata file** , up to the number of bytes specified
10881090in the timestamp metadata file. If consistent snapshots are not used (see
@@ -1093,15 +1095,16 @@ VERSION_NUMBER is the version number of the snapshot metadata file listed in
10931095the timestamp metadata file. In either case, the client MUST write the file to
10941096non-volatile storage as FILENAME.EXT.
10951097
1096- * ** 3.1** . ** Check against timestamp metadata.** The hashes and version number
1098+ * ** 3.1** . ** Check against timestamp metadata.** The hashes and version
1099+ * number
10971100 of the new snapshot metadata file MUST match the hashes and version number
10981101 listed in timestamp metadata. If hashes and version do not match, discard
1099- the new snapshot metadata and report the failure.
1102+ the new snapshot metadata, abort the update cycle, and report the failure.
11001103
11011104 * ** 3.2** . ** Check signatures.** The new snapshot metadata file MUST have
11021105 been signed by a threshold of keys specified in the trusted root metadata
11031106 file. If the new snapshot metadata file is not signed as required, discard
1104- it and report the signature failure.
1107+ it, abort the update cycle, and report the signature failure.
11051108
11061109 * ** 3.3** . ** Check for a rollback attack.**
11071110
@@ -1112,21 +1115,23 @@ non-volatile storage as FILENAME.EXT.
11121115 * ** 3.3.2** . The version number of the trusted snapshot metadata file, if
11131116 any, MUST be less than or equal to the version number of the new snapshot
11141117 metadata file. If the new snapshot metadata file is older than the trusted
1115- metadata file, discard it and report the potential rollback attack.
1118+ metadata file, discard it, abort the update cycle, and report the potential
1119+ rollback attack.
11161120
11171121 * ** 3.3.3** . The version number of the targets metadata file, and all
11181122 delegated targets metadata files (if any), in the trusted snapshot metadata
11191123 file, if any, MUST be less than or equal to its version number in the new
11201124 snapshot metadata file. Furthermore, any targets metadata filename that was
11211125 listed in the trusted snapshot metadata file, if any, MUST continue to be
11221126 listed in the new snapshot metadata file. If any of these conditions are
1123- not met, discard the new snaphot metadadata file and report the failure.
1127+ not met, discard the new snaphot metadadata file, abort the update cycle,
1128+ and report the failure.
11241129
11251130 * ** 3.4** . ** Check for a freeze attack.** The latest known time should be
11261131 lower than the expiration timestamp in the new snapshot metadata file. If
11271132 so, the new snapshot metadata file becomes the trusted snapshot metadata
1128- file. If the new snaphshot metadata file is expired, discard it and report
1129- the potential freeze attack.
1133+ file. If the new snaphshot metadata file is expired, discard it, abort the
1134+ update cycle, and report the potential freeze attack.
11301135
11311136** 4** . ** Download the top-level targets metadata file** , up to either the
11321137number of bytes specified in the snapshot metadata file, or some Z number of
@@ -1143,24 +1148,24 @@ non-volatile storage as FILENAME.EXT.
11431148 version number of the new targets metadata file MUST match the trusted
11441149 snapshot metadata. This is done, in part, to prevent a mix-and-match attack
11451150 by man-in-the-middle attackers. If the new targets metadata file does not
1146- match, discard it and report the failure.
1151+ match, discard it, abort the update cycle, and report the failure.
11471152
11481153 * ** 4.2** . ** Check for an arbitrary software attack.** The new targets
11491154 metadata file MUST have been signed by a threshold of keys specified in the
11501155 trusted root metadata file. If the new targets metadat file is not signed
1151- as required, discard it and report the failure.
1156+ as required, discard it, abort the update cycle, and report the failure.
11521157
11531158 * ** 4.3** . ** Check for a rollback attack.** The version number of the trusted
11541159 targets metadata file, if any, MUST be less than or equal to the version
1155- number of the new targets metadata file. If the new targets metadata file
1156- is older than the trusted targets metadata file, discard it and report
1157- the potential rollback attack.
1160+ number of the new targets metadata file. If the new targets metadata file is
1161+ older than the trusted targets metadata file, discard it, abort the update
1162+ cycle, and report the potential rollback attack.
11581163
11591164 * ** 4.4** . ** Check for a freeze attack.** The latest known time should be
11601165 lower than the expiration timestamp in the new targets metadata file. If so,
11611166 the new targets metadata file becomes the trusted targets metadata file. If
1162- the new targets metadata file is expired, discard it and report the potential
1163- freeze attack.
1167+ the new targets metadata file is expired, discard it, abort the update cycle,
1168+ and report the potential freeze attack.
11641169
11651170 * ** 4.5** . ** Perform a preorder depth-first search for metadata about the
11661171 desired target, beginning with the top-level targets role.** Note: If
@@ -1191,8 +1196,8 @@ non-volatile storage as FILENAME.EXT.
11911196
11921197** 5** . ** Verify the desired target against its targets metadata** .
11931198
1194- * ** 5.1** . If there is no targets metadata about this target, then report that
1195- there is no such target.
1199+ * ** 5.1** . If there is no targets metadata about this target, abort the
1200+ update cycle and report that there is no such target.
11961201
11971202 * ** 5.2** . Otherwise, download the target (up to the number of bytes
11981203 specified in the targets metadata), and verify that its hashes match the
0 commit comments