@@ -994,128 +994,127 @@ repo](https://github.com/theupdateframework/specification/issues).
994994
995995## ** 5. Detailed Workflows**
996996
997- ** The client application**
997+ ### ** The client application**
998998
999- 0 . ** Load the trusted root metadata file.** We assume that a good, trusted
999+ ** 0 ** . ** Load the trusted root metadata file.** We assume that a good, trusted
10001000 copy of this file was shipped with the package manager or software updater
10011001 using an out-of-band process. Note that the expiration of the trusted root
10021002 metadata file does not matter, because we will attempt to update it in the
10031003 next step.
10041004
1005- 1 . ** Update the root metadata file.** Since it may now be signed using
1006- entirely different keys, the client must somehow be able to establish a
1007- trusted line of continuity to the latest set of keys (see Section 6.1). To do
1008- so, the client MUST download intermediate root metadata files, until the
1009- latest available one is reached.
1010-
1011- 1.1. Let N denote the version number of the trusted root metadata file.
1012-
1013- 1.2. **Try downloading version N+1 of the root metadata file**, up to some
1014- X number of bytes (because the size is unknown). The value for X is set by
1015- the authors of the application using TUF. For example, X may be tens of
1016- kilobytes. The filename used to download the root metadata file is of the
1017- fixed form VERSION_NUMBER.FILENAME.EXT (e.g., 42.root.json). If this file
1018- is not available, then go to step 1.8.
1019-
1020- 1.3. **Check signatures.** Version N+1 of the root metadata file MUST have
1021- been signed by: (1) a threshold of keys specified in the trusted root
1022- metadata file (version N), and (2) a threshold of keys specified in the new
1023- root metadata file being validated (version N+1).
1024-
1025- 1.4. **Check for a rollback attack.** The version number of the trusted
1026- root metadata file (version N) must be less than or equal to the version
1027- number of the new root metadata file (version N+1). Effectively, this means
1028- checking that the version number signed in the new root metadata file is
1029- indeed N+1.
1030-
1031- 1.5. Note that the expiration of the new (intermediate) root metadata file
1032- does not matter yet, because we will check for it in step 1.8.
1033-
1034- 1.6. Set the trusted root metadata file to the new root metadata file.
1035-
1036- 1.7. Repeat steps 1.1 to 1.7.
1037-
1038- 1.8. **Check for a freeze attack.** The latest known time should be lower
1039- than the expiration timestamp in the trusted root metadata file.
1040-
1041- 1.9. **If the timestamp and / or snapshot keys have been rotated, then
1042- delete the trusted timestamp and snapshot metadata files.** This is done in
1043- order to recover from fast-forward attacks after the repository has been
1044- compromised and recovered. A _fast-forward attack_ happens when attackers
1045- arbitrarily increase the version numbers of: (1) the timestamp metadata,
1046- (2) the snapshot metadata, and / or (3) the targets, or a delegated
1047- targets, metadata file in the snapshot metadata. Please see [the Mercury
1048- paper](https://ssl.engineering.nyu.edu/papers/kuppusamy-mercury-usenix-2017.pdf)
1049- for more details.
1050-
1051- 2 . ** Download the timestamp metadata file** , up to Y number of bytes (because
1052- the size is unknown.) The value for Y is set by the authors of the
1053- application using TUF. For example, Y may be tens of kilobytes. The filename
1054- used to download the timestamp metadata file is of the fixed form
1055- FILENAME.EXT (e.g., timestamp.json).
1056-
1057- 2.1. **Check signatures.** The new timestamp metadata file must have been
1058- signed by a threshold of keys specified in the trusted root metadata file.
1059-
1060- 2.2. **Check for a rollback attack.** The version number of the trusted
1061- timestamp metadata file, if any, must be less than or equal to the version
1062- number of the new timestamp metadata file.
1063-
1064- 2.3. **Check for a freeze attack.** The latest known time should be lower
1065- than the expiration timestamp in the new timestamp metadata file. If so,
1066- the new timestamp metadata file becomes the trusted timestamp
1067- metadata file.
1068-
1069- 3. **Download and check the snapshot metadata file**, up to the number of
1070- bytes specified in the timestamp metadata file. If consistent snapshots
1071- are not used (see Section 7), then the filename used to download the
1072- snapshot metadata file is of the fixed form FILENAME.EXT (e.g.,
1073- snapshot.json). Otherwise, the filename is of the form
1074- VERSION_NUMBER.FILENAME.EXT (e.g., 42.snapshot.json), where VERSION_NUMBER
1075- is the version number of the snapshot metadata file listed in the timestamp
1076- metadata file. In either case, the client MUST write the file to
1077- non-volatile storage as FILENAME.EXT.
1078-
1079- 3.1. **Check against timestamp metadata.** The hashes and version number
1080- of the new snapshot metadata file MUST match the hashes and version number
1081- listed in timestamp metadata.
1082-
1083- 3.2. **Check signatures.** The snapshot metadata file MUST have been signed
1084- by a threshold of keys specified in the trusted root metadata file.
1085-
1086- 3.3. **Check for a rollback attack.**
1087-
1088- 3.3.1. Note that the trusted snapshot metadata file may be checked for
1089- authenticity, but its expiration does not matter for the following
1090- purposes.
1091-
1092- 3.3.2. The version number of the trusted snapshot metadata file, if any,
1093- MUST be less than or equal to the version number of the new snapshot
1094- metadata file.
1095-
1096- 3.3.3. The version number of the targets metadata file, and all delegated
1097- targets metadata files (if any), in the trusted snapshot metadata file, if
1098- any, MUST be less than or equal to its version number in the new snapshot
1099- metadata file. Furthermore, any targets metadata filename that was listed
1100- in the trusted snapshot metadata file, if any, MUST continue to be listed
1101- in the new snapshot metadata file.
1102-
1103- 3.4. **Check for a freeze attack.** The latest known time should be lower
1104- than the expiration timestamp in the new snapshot metadata file. If so,
1105- the new snapshot metadata file becomes the trusted snapshot metadata
1106- file.
1107-
1108- 4. **Download and check the top-level targets metadata file**, up to either
1109- the number of bytes specified in the snapshot metadata file, or some Z
1110- number of bytes. The value for Z is set by the authors of the application
1111- using TUF. For example, Z may be tens of kilobytes. If consistent
1112- snapshots are not used (see Section 7), then the filename used to download
1113- the targets metadata file is of the fixed form FILENAME.EXT (e.g.,
1114- targets.json). Otherwise, the filename is of the form
1115- VERSION_NUMBER.FILENAME.EXT (e.g., 42.targets.json), where VERSION_NUMBER
1116- is the version number of the targets metadata file listed in the snapshot
1117- metadata file. In either case, the client MUST write the file to
1118- non-volatile storage as FILENAME.EXT.
1005+ ** 1** . ** Update the root metadata file.**
1006+ Since it may now be signed using entirely different keys, the client must
1007+ somehow be able to establish a trusted line of continuity to the latest set
1008+ of keys (see Section 6.1). To do so, the client MUST download intermediate
1009+ root metadata files, until the latest available one is reached.
1010+
1011+ * ** 1.1** . Let N denote the version number of the trusted root metadata file.
1012+
1013+ * ** 1.2** . ** Try downloading version N+1 of the root metadata file** , up to
1014+ some X number of bytes (because the size is unknown). The value for X is set
1015+ by the authors of the application using TUF. For example, X may be tens of
1016+ kilobytes. The filename used to download the root metadata file is of the
1017+ fixed form VERSION_NUMBER.FILENAME.EXT (e.g., 42.root.json). If this file is
1018+ not available, then go to step 1.8.
1019+
1020+ * ** 1.3. Check signatures.** Version N+1 of the root metadata file MUST have
1021+ been signed by: (1) a threshold of keys specified in the trusted root
1022+ metadata file (version N), and (2) a threshold of keys specified in the new
1023+ root metadata file being validated (version N+1).
1024+
1025+ * ** 1.4. Check for a rollback attack.** The version number of the trusted
1026+ root metadata file (version N) must be less than or equal to the version
1027+ number of the new root metadata file (version N+1). Effectively, this means
1028+ checking that the version number signed in the new root metadata file is
1029+ indeed N+1.
1030+
1031+ * ** 1.5** . Note that the expiration of the new (intermediate) root metadata
1032+ file does not matter yet, because we will check for it in step 1.8.
1033+
1034+ * ** 1.6** . ** Set the trusted root metadata file** to the new root metadata
1035+ file.
1036+
1037+ * ** 1.7** . ** Repeat steps 1.1 to 1.7** .
1038+
1039+ * ** 1.8** . ** Check for a freeze attack.** The latest known time should be
1040+ lower than the expiration timestamp in the trusted root metadata file.
1041+
1042+ * ** 1.9** . ** If the timestamp and / or snapshot keys have been rotated, then
1043+ delete the trusted timestamp and snapshot metadata files.** This is done in
1044+ order to recover from fast-forward attacks after the repository has been
1045+ compromised and recovered. A _ fast-forward attack_ happens when attackers
1046+ arbitrarily increase the version numbers of: (1) the timestamp metadata, (2)
1047+ the snapshot metadata, and / or (3) the targets, or a delegated targets,
1048+ metadata file in the snapshot metadata. Please see [ the Mercury
1049+ paper] ( https://ssl.engineering.nyu.edu/papers/kuppusamy-mercury-usenix-2017.pdf )
1050+ for more details.
1051+
1052+ ** 2** . ** Download the timestamp metadata file** , up to Y number of bytes
1053+ (because the size is unknown.) The value for Y is set by the authors of the
1054+ application using TUF. For example, Y may be tens of kilobytes. The filename
1055+ used to download the timestamp metadata file is of the fixed form FILENAME.EXT
1056+ (e.g., timestamp.json).
1057+
1058+ * ** 2.1** . ** Check signatures.** The new timestamp metadata file must have
1059+ been signed by a threshold of keys specified in the trusted root metadata
1060+ file.
1061+
1062+ * ** 2.2** . ** Check for a rollback attack.** The version number of the trusted
1063+ timestamp metadata file, if any, must be less than or equal to the version
1064+ number of the new timestamp metadata file.
1065+
1066+ * ** 2.3** . ** Check for a freeze attack.** The latest known time should be
1067+ lower than the expiration timestamp in the new timestamp metadata file. If
1068+ so, the new timestamp metadata file becomes the trusted timestamp metadata
1069+ file.
1070+
1071+ ** 3** . ** Download snapshot metadata file** , up to the number of bytes specified
1072+ in the timestamp metadata file. If consistent snapshots are not used (see
1073+ Section 7), then the filename used to download the snapshot metadata file is of
1074+ the fixed form FILENAME.EXT (e.g., snapshot.json). Otherwise, the filename is
1075+ of the form VERSION_NUMBER.FILENAME.EXT (e.g., 42.snapshot.json), where
1076+ VERSION_NUMBER is the version number of the snapshot metadata file listed in
1077+ the timestamp metadata file. In either case, the client MUST write the file to
1078+ non-volatile storage as FILENAME.EXT.
1079+
1080+ * ** 3.1** . ** Check against timestamp metadata.** The hashes and version number
1081+ of the new snapshot metadata file MUST match the hashes and version number
1082+ listed in timestamp metadata.
1083+
1084+ * ** 3.2** . ** Check signatures.** The snapshot metadata file MUST have been
1085+ signed by a threshold of keys specified in the trusted root metadata file.
1086+
1087+ * ** 3.3** . ** Check for a rollback attack.**
1088+
1089+ * ** 3.3.1** . Note that the trusted snapshot metadata file may be checked for
1090+ authenticity, but its expiration does not matter for the following purposes.
1091+
1092+ * ** 3.3.2** . The version number of the trusted snapshot metadata file, if
1093+ any, MUST be less than or equal to the version number of the new snapshot
1094+ metadata file.
1095+
1096+ * ** 3.3.3** . The version number of the targets metadata file, and all
1097+ delegated targets metadata files (if any), in the trusted snapshot metadata
1098+ file, if any, MUST be less than or equal to its version number in the new
1099+ snapshot metadata file. Furthermore, any targets metadata filename that was
1100+ listed in the trusted snapshot metadata file, if any, MUST continue to be
1101+ listed in the new snapshot metadata file.
1102+
1103+ * ** 3.4** . ** Check for a freeze attack.** The latest known time should be
1104+ lower than the expiration timestamp in the new snapshot metadata file. If
1105+ so, the new snapshot metadata file becomes the trusted snapshot metadata
1106+ file.
1107+
1108+ ** 4** . ** Download the top-level targets metadata file** , up to either the
1109+ number of bytes specified in the snapshot metadata file, or some Z number of
1110+ bytes. The value for Z is set by the authors of the application using TUF. For
1111+ example, Z may be tens of kilobytes. If consistent snapshots are not used (see
1112+ Section 7), then the filename used to download the targets metadata file is of
1113+ the fixed form FILENAME.EXT (e.g., targets.json). Otherwise, the filename is
1114+ of the form VERSION_NUMBER.FILENAME.EXT (e.g., 42.targets.json), where
1115+ VERSION_NUMBER is the version number of the targets metadata file listed in the
1116+ snapshot metadata file. In either case, the client MUST write the file to
1117+ non-volatile storage as FILENAME.EXT.
11191118
11201119 4.1. **Check against snapshot metadata.** The hashes (if any), and version
11211120 number of the new targets metadata file MUST match the trusted snapshot metadata.
0 commit comments