|
1 | 1 | # <p align="center">The Update Framework Specification |
2 | 2 |
|
3 | | -Last modified: **28 February 2018** |
| 3 | +Last modified: **14 March 2018** |
4 | 4 |
|
5 | 5 | Version: **1.0 (Draft)** |
6 | 6 |
|
@@ -309,11 +309,11 @@ Version: **1.0 (Draft)** |
309 | 309 |
|
310 | 310 | - **2.1.3 Snapshot role** |
311 | 311 |
|
312 | | - The snapshot role signs a metadata file that provides information about the |
313 | | - latest version of all of the other metadata on the repository (excluding the |
314 | | - timestamp file, discussed below). This information allows clients to know |
315 | | - which metadata files have been updated and also prevents mix-and-match |
316 | | - attacks. |
| 312 | + The snapshot role signs a metadata file that provides information about |
| 313 | + the latest version of all of the other metadata on the repository |
| 314 | + (excluding the timestamp file, discussed below). This information allows |
| 315 | + clients to know which metadata files have been updated and also prevents |
| 316 | + mix-and-match attacks. |
317 | 317 |
|
318 | 318 | - **2.1.4 Timestamp role** |
319 | 319 |
|
@@ -1007,8 +1007,8 @@ Version: **1.0 (Draft)** |
1007 | 1007 | X number of bytes (because the size is unknown). The value for X is set by |
1008 | 1008 | the authors of the application using TUF. For example, X may be tens of |
1009 | 1009 | kilobytes. The filename used to download the root metadata file is of the |
1010 | | - fixed form VERSION.FILENAME.EXT (e.g., 42.root.json). If this file is not |
1011 | | - available, then go to step 1.8. |
| 1010 | + fixed form VERSION_NUMBER.FILENAME.EXT (e.g., 42.root.json). If this file |
| 1011 | + is not available, then go to step 1.8. |
1012 | 1012 |
|
1013 | 1013 | 1.3. **Check signatures.** Version N+1 of the root metadata file MUST have |
1014 | 1014 | been signed by: (1) a threshold of keys specified in the trusted root |
@@ -1060,15 +1060,14 @@ Version: **1.0 (Draft)** |
1060 | 1060 | metadata file. |
1061 | 1061 |
|
1062 | 1062 | 3. **Download and check the snapshot metadata file**, up to the number of |
1063 | | - bytes specified in the timestamp metadata file. |
1064 | | - If consistent snapshots are not used (see Section 7), then the filename |
1065 | | - used to download the snapshot metadata file is of the fixed form |
1066 | | - FILENAME.EXT (e.g., snapshot.json). |
1067 | | - Otherwise, the filename is of the form VERSION.FILENAME.EXT (e.g., |
1068 | | - 42.snapshot.json), where VERSION is the version number of the snapshot |
1069 | | - metadata file listed in the timestamp metadata file. In either case, |
1070 | | - the client MUST write the file to non-volatile storage as |
1071 | | - FILENAME.EXT. |
| 1063 | + bytes specified in the timestamp metadata file. If consistent snapshots |
| 1064 | + are not used (see Section 7), then the filename used to download the |
| 1065 | + snapshot metadata file is of the fixed form FILENAME.EXT (e.g., |
| 1066 | + snapshot.json). Otherwise, the filename is of the form |
| 1067 | + VERSION_NUMBER.FILENAME.EXT (e.g., 42.snapshot.json), where VERSION_NUMBER |
| 1068 | + is the version number of the snapshot metadata file listed in the timestamp |
| 1069 | + metadata file. In either case, the client MUST write the file to |
| 1070 | + non-volatile storage as FILENAME.EXT. |
1072 | 1071 |
|
1073 | 1072 | 3.1. **Check against timestamp metadata.** The hashes and version number |
1074 | 1073 | of the new snapshot metadata file MUST match the hashes and version number |
@@ -1100,17 +1099,16 @@ Version: **1.0 (Draft)** |
1100 | 1099 | file. |
1101 | 1100 |
|
1102 | 1101 | 4. **Download and check the top-level targets metadata file**, up to either |
1103 | | - the number of bytes specified in the snapshot metadata file, or some |
1104 | | - Z number of bytes. The value for Z is set by the authors of the application |
1105 | | - using TUF. For example, Z may be tens of kilobytes. |
1106 | | - If consistent snapshots are not used (see Section 7), then the filename |
1107 | | - used to download the targets metadata file is of the fixed form |
1108 | | - FILENAME.EXT (e.g., targets.json). |
1109 | | - Otherwise, the filename is of the form VERSION.FILENAME.EXT (e.g., |
1110 | | - 42.targets.json), where VERSION is the version number of the targets |
1111 | | - metadata file listed in the snapshot metadata file. |
1112 | | - In either case, the client MUST write the file to non-volatile storage as |
1113 | | - FILENAME.EXT. |
| 1102 | + the number of bytes specified in the snapshot metadata file, or some Z |
| 1103 | + number of bytes. The value for Z is set by the authors of the application |
| 1104 | + using TUF. For example, Z may be tens of kilobytes. If consistent |
| 1105 | + snapshots are not used (see Section 7), then the filename used to download |
| 1106 | + the targets metadata file is of the fixed form FILENAME.EXT (e.g., |
| 1107 | + targets.json). Otherwise, the filename is of the form |
| 1108 | + VERSION_NUMBER.FILENAME.EXT (e.g., 42.targets.json), where VERSION_NUMBER |
| 1109 | + is the version number of the targets metadata file listed in the snapshot |
| 1110 | + metadata file. In either case, the client MUST write the file to |
| 1111 | + non-volatile storage as FILENAME.EXT. |
1114 | 1112 |
|
1115 | 1113 | 4.1. **Check against snapshot metadata.** The hashes (if any), and version |
1116 | 1114 | number of the new targets metadata file MUST match the trusted snapshot metadata. |
@@ -1254,22 +1252,23 @@ Version: **1.0 (Draft)** |
1254 | 1252 |
|
1255 | 1253 | Additionally, the timestamp metadata (timestamp.json) should also be |
1256 | 1254 | written to non-volatile storage whenever it is updated. It is optional for |
1257 | | - an implementation to write identical copies at digest.timestamp.json for |
1258 | | - record-keeping purposes, because a cryptographic hash of the timestamp |
1259 | | - metadata is usually not known in advance. The same step applies to the root |
1260 | | - metadata (root.json), although an implementation must write both root.json |
1261 | | - and digest.root.json because it is possible to download root metadata both |
1262 | | - with and without known hashes. These steps are required because these are |
1263 | | - the only metadata files that may be requested without known hashes. |
| 1255 | + an implementation to write identical copies at |
| 1256 | + version_number.timestamp.json for record-keeping purposes, because a |
| 1257 | + cryptographic hash of the timestamp metadata is usually not known in |
| 1258 | + advance. The same step applies to the root metadata (root.json), although |
| 1259 | + an implementation must write both root.json and version_number.root.json |
| 1260 | + because it is possible to download root metadata both with and without |
| 1261 | + known version numbers. These steps are required because these are the only |
| 1262 | + metadata files that may be requested without known version numbers. |
1264 | 1263 |
|
1265 | 1264 | Most importantly, no metadata file format must be updated to refer to the |
1266 | | - names of metadata or target files with their hashes included. In other |
1267 | | - words, if a metadata file A refers to another metadata or target file B as |
| 1265 | + names of metadata or target files with their version numbers included. In |
| 1266 | + other words, if a metadata file A refers to another metadata file B as |
1268 | 1267 | filename.ext, then the filename must remain as filename.ext and not |
1269 | | - digest.filename.ext. This rule is in place so that metadata signed by roles |
1270 | | - with offline keys will not be forced to sign for the metadata file whenever |
1271 | | - it is updated. In the next subsection, we will see how clients will |
1272 | | - reproduce the name of the intended file. |
| 1268 | + version_number.filename.ext. This rule is in place so that metadata signed |
| 1269 | + by roles with offline keys will not be forced to sign for the metadata file |
| 1270 | + whenever it is updated. In the next subsection, we will see how clients |
| 1271 | + will reproduce the name of the intended file. |
1273 | 1272 |
|
1274 | 1273 | Finally, the root metadata should write the Boolean "consistent_snapshot" |
1275 | 1274 | attribute at the root level of its keys of attributes. If consistent |
|
0 commit comments