|
1 | 1 | # <p align="center">The Update Framework Specification |
2 | 2 |
|
3 | | -Last modified: **2 December 2020** |
| 3 | +Last modified: **3 December 2020** |
4 | 4 |
|
5 | | -Version: **1.0.15** |
| 5 | +Version: **1.0.16** |
6 | 6 |
|
7 | 7 | We strive to make the specification easy to implement, so if you come across |
8 | 8 | any inconsistencies or experience any difficulty, do let us know by sending an |
@@ -1091,13 +1091,11 @@ repo](https://github.com/theupdateframework/specification/issues). |
1091 | 1091 | still be able to update again in the future. Errors raised during the update |
1092 | 1092 | process should not leave clients in an unrecoverable state. |
1093 | 1093 |
|
1094 | | - **5.0**. **Record the time at which the update began.** Add the update |
1095 | | - workflow maximum duration T to the recorded update start time to derive the |
1096 | | - fixed update expiration time. The value for T is set by the authors of the |
1097 | | - application using TUF. For example, T may be tens of minutes. |
1098 | | - This update expiration time will be used when checking for freeze attacks, |
1099 | | - and is fixed at the beginning of the update workflow to prevent metadata |
1100 | | - from expiring during an in-progress update. |
| 1094 | + **5.0**. **Record the time at which the update began** as the fixed update |
| 1095 | + start time. Time is fixed at the beginning of the update workflow to allow |
| 1096 | + an application using TUF to effectively pause time, in order to ensure that |
| 1097 | + metadata which has a valid expiration time at the beginning of an update |
| 1098 | + does not fail an expiration check later in the update workflow. |
1101 | 1099 |
|
1102 | 1100 | **5.1**. **Load the trusted root metadata file.** We assume that a good, |
1103 | 1101 | trusted copy of this file was shipped with the package manager or software |
@@ -1155,10 +1153,10 @@ repo](https://github.com/theupdateframework/specification/issues). |
1155 | 1153 | * **5.2.8**. **Repeat steps 5.2.1 to 5.2.8**. |
1156 | 1154 |
|
1157 | 1155 | * **5.2.9**. **Check for a freeze attack.** The expiration timestamp in the |
1158 | | - trusted root metadata file MUST be higher than the fixed update expiration |
1159 | | - time. If the trusted root metadata file has expired, abort the update |
1160 | | - cycle, report the potential freeze attack. On the next update cycle, begin |
1161 | | - at step 5.1 and version N of the root metadata file. |
| 1156 | + trusted root metadata file MUST be higher than the fixed update start time. |
| 1157 | + If the trusted root metadata file has expired, abort the update cycle, |
| 1158 | + report the potential freeze attack. On the next update cycle, begin at step |
| 1159 | + 5.1 and version N of the root metadata file. |
1162 | 1160 |
|
1163 | 1161 | * **5.2.10**. **If the timestamp and / or snapshot keys have been rotated, |
1164 | 1162 | then delete the trusted timestamp and snapshot metadata files.** This is done |
@@ -1199,8 +1197,8 @@ used to download the timestamp metadata file is of the fixed form FILENAME.EXT |
1199 | 1197 | timestamp metadata file, abort the update cycle, and report the failure. |
1200 | 1198 |
|
1201 | 1199 | * **5.3.3**. **Check for a freeze attack.** The expiration timestamp in the |
1202 | | - new timestamp metadata file MUST be higher than the fixed update expiration |
1203 | | - time. If so, the new timestamp metadata file becomes the trusted timestamp |
| 1200 | + new timestamp metadata file MUST be higher than the fixed update start time. |
| 1201 | + If so, the new timestamp metadata file becomes the trusted timestamp |
1204 | 1202 | metadata file. If the new timestamp metadata file has expired, discard it, |
1205 | 1203 | abort the update cycle, and report the potential freeze attack. |
1206 | 1204 |
|
@@ -1245,10 +1243,10 @@ the timestamp metadata file. |
1245 | 1243 | the update cycle, and report the failure. |
1246 | 1244 |
|
1247 | 1245 | * **5.4.5**. **Check for a freeze attack.** The expiration timestamp in the |
1248 | | - new snapshot metadata file MUST be higher than the fixed update expiration |
1249 | | - time. If so, the new snapshot metadata file becomes the trusted snapshot |
1250 | | - metadata file. If the new snapshot metadata file is expired, discard it, |
1251 | | - abort the update cycle, and report the potential freeze attack. |
| 1246 | + new snapshot metadata file MUST be higher than the fixed update start time. |
| 1247 | + If so, the new snapshot metadata file becomes the trusted snapshot metadata |
| 1248 | + file. If the new snapshot metadata file is expired, discard it, abort the |
| 1249 | + update cycle, and report the potential freeze attack. |
1252 | 1250 |
|
1253 | 1251 |
|
1254 | 1252 | * **5.4.6**. **Persist snapshot metadata.** The client MUST write the file to |
@@ -1282,10 +1280,10 @@ snapshot metadata file. |
1282 | 1280 | abort the update cycle, and report the failure. |
1283 | 1281 |
|
1284 | 1282 | * **5.5.4**. **Check for a freeze attack.** The expiration timestamp in the |
1285 | | - new targets metadata file MUST be higher than the fixed update expiration |
1286 | | - time. If so, the new targets metadata file becomes the trusted targets |
1287 | | - metadata file. If the new targets metadata file is expired, discard it, |
1288 | | - abort the update cycle, and report the potential freeze attack. |
| 1283 | + new targets metadata file MUST be higher than the fixed update start time. |
| 1284 | + If so, the new targets metadata file becomes the trusted targets metadata |
| 1285 | + file. If the new targets metadata file is expired, discard it, abort the |
| 1286 | + update cycle, and report the potential freeze attack. |
1289 | 1287 |
|
1290 | 1288 | * **5.5.5**. **Persist targets metadata.** The client MUST write the file to |
1291 | 1289 | non-volatile storage as FILENAME.EXT (e.g. targets.json). |
|
0 commit comments