Hi Steven,
unfortunately there are some known but not yet resolved issues [1] with the TUF
command line tools from the Quickstart Guide.
May I suggest that you take look at the advanced tutorial [2] instead.
Thanks,
Lukas
[1]
https://github.com/theupdateframework/tuf/issues/881
[2]
https://github.com/theupdateframework/tuf/blob/develop/docs/TUTORIAL.md
On 4/8/20 2:20 PM, Steven Kim wrote:
> Hi Trishank~,
>
> Thanks for the quick response~
> It was really helpful for me to understand more about TUF.
>
>
> Today I tried to follow this Quickstart guide
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_theupdateframework_tuf_blob_develop_docs_QUICKSTART.md&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=R--UdWsbs6NSeu-TcRxPiyaA18jvPZwz7Tl9D8X7UHA&e=
>
> But there was an error after "Step 4: Obtain and verify the testfile update
> on a client "
> At first, there were generated a bunch of files such as 1.root.json,
> root.json, timestamp.json, target.json, snapshop.json
> After adding testfile in the server, there is not generated 2.root.json.
> Is that normal?
> It looks the Client finds the 2.root.json from the Server metadata.
> But there is no 2.root.json file in the Server.
>
> $ client.py --repo
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=csGWO5oZKBx4yUIGkwXjoChDNa63XWT6DF0fC7ckV4Y&e= testfile
>
> Could not download URL: '
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= '
>
> Traceback (most recent call last):
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/download.py",
> line 264, in _download_file
>
> response.raise_for_status()
>
> File "/home/skim5/.local/lib/python3.6/site-packages/requests/models.py",
> line 941, in raise_for_status
>
> raise HTTPError(http_error_msg, response=self)
>
> requests.exceptions.HTTPError: 404 Client Error: File not found for url:
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e=
>
> Update failed from
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= .
>
> Traceback (most recent call last):
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py",
> line 1502, in _get_metadata_file
>
> upperbound_filelength)
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/download.py",
> line 150, in unsafe_download
>
> return _download_file(url, required_length,
> STRICT_REQUIRED_LENGTH=False)
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/download.py",
> line 264, in _download_file
>
> response.raise_for_status()
>
> File "/home/skim5/.local/lib/python3.6/site-packages/requests/models.py",
> line 941, in raise_for_status
>
> raise HTTPError(http_error_msg, response=self)
>
> requests.exceptions.HTTPError: 404 Client Error: File not found for url:
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e=
>
> Failed to update '2.root.json' from all mirrors:
> {'
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= ': HTTPError('404 Client Error:
> File not found for url:
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= ',)}
>
> ERROR:root:HTTP error for root version 2
>
> Traceback (most recent call last):
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py",
> line 1145, in _update_root_metadata
>
> version=next_version)
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py",
> line 1781, in _update_metadata
>
> upperbound_filelength, version)
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py",
> line 1597, in _get_metadata_file
>
> raise tuf.exceptions.NoWorkingMirrorError(file_mirror_errors)
>
> tuf.exceptions.NoWorkingMirrorError: No working mirror was found:
>
> 'localhost:8001': HTTPError('404 Client Error: File not found for url:
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= ',)
>
> INFO:tuf.download:Downloading: '
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_timestamp.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=AGvsWmYsJoUJjF7XQi8Qt2oQ7qvoSiO7j17Jh-iBdh4&e= '
>
> INFO:tuf.download:Downloaded 704 bytes out of an upper limit of 16384 bytes.
>
>
> INFO:tuf.download:Downloading: '
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_snapshot.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=nlgRuyT0oXeYObL0NwxmHH2cU1pBnndMhOn8Y2y4Qkg&e=
> '
>
> INFO:tuf.download:Downloaded 431 bytes out of an upper limit of 2000000
> bytes.
>
> INFO:tuf.download:Downloading: '
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_targets.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=ITBUepEp6uEZ4TT4RuTghGNcb3aBz5X5czwnjERXD34&e= '
>
>
> INFO:tuf.download:Downloaded 735 bytes out of an upper limit of 5000000
> bytes.
>
> INFO:tuf.client.updater:'targets.json' up-to-date.
>
> INFO:tuf.client.updater:'targets.json' up-to-date.
>
> INFO:tuf.download:Downloading: '
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_targets_testfile&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=bQchZnHYkwMujwCRwXwxIY5bCyVi_nsnq3b6ocyiEAc&e= '
>
> INFO:tuf.download:Downloaded 10 bytes out of the expected 10 bytes.
>
> INFO:tuf.client.updater:The file's sha256 hash is correct:
> 114811b0b8998cb9853a5379598021410feddf69bb2ee7b7145d052a7e9b5d45
>
> INFO:tuf.client.updater:The file's sha512 hash is correct:
> 9484ec641bd36078436a993000045bbc380f77d8897e9dcc1b784c10642abe31f5469b9b6c31afa3a286abb4d0ce618468043883bce231c99aa984ea9ff14a64
>
>
> Regards,
> Steven
>
> 2020년 4월 8일 수요일 오전 12시 57분 42초 UTC+9, Trishank Karthik Kuppusamy 님의 말:
>>
>> Hi Steven,
>>
>> Thanks for your interest!
>>
>> On Tue, Apr 7, 2020 at 11:24 AM Steven Kim <
mje...@gmail.com <javascript:>>
>> wrote:
>>
>>>
>>> 1. If the root role key is compromised, the new version of root.json
>>> should be updated in the Client.
>>> How the client can know that there is an updated root.json in the
>>> repository?
>>>
>>
>> The first thing the client does is to update to the latest version of the
>> root metadata. See Steps 0-1 in the detailed workflow
>> <
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_theupdateframework_specification_blob_69b8456614796b57c6076d3894568a83b3f7ce1a_tuf-2Dspec.md-235-2Ddetailed-2Dworkflows&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=X6V1JjQlRvwTWpm_Znyy4aJXP1ghv-6aTLkMUy1El_U&e= >
>> .
>>
>> 2. Expiration time is used in the json file. How the time information is
>>> synced between the Client and Server?
>>> Uptane shows the time server. But I cannot find how TUF manage the
>>> time information.
>>>
>>
>> TUF does not update time by itself, and instead depends on the runtime to
>> do this. You may use NTP, Roughtime, or something similar. In Uptane (a
>> fork of TUF for ground vehicles), we propose using a time server to update
>> time on ECUs on vehicles which typically have no real-time clocks.
>>
>>
>>> 3. Is there any criteria to set the thresh hold of keys?
>>> The more thresh hold values are used, the better for the security,
>>> but the complexity and the spent time are getting increased.
>>>
>>
>> Indeed, this depends on how security-critical the role is. The root and
>> targets roles, for example, should use a threshold of keys. You may be
>> interested to see how we manage keys across many roles in the Datadog
>> integration
>> <
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.datadoghq.com_blog_engineering_secure-2Dpublication-2Dof-2Ddatadog-2Dagent-2Dintegrations-2Dwith-2Dtuf-2Dand-2Din-2Dtoto_&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=rVZdPwjjgYNqxzJ8FHUdO3Faj9Jw81dq5q4qAOUxhkI&e= >
>> .
>>
>> Regards,
>> Trishank
>>
>
--
lukas.pu...@nyu.edu
PGP fingerprint: 8BA6 9B87 D43B E294 F23E 8120 89A2 AD3C 07D9 62E8