Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Query on version and expiry management of metadata

5 views
Skip to first unread message

Milan Satpathy

unread,
Nov 6, 2024, 4:52:46 AM11/6/24
to theupdate...@googlegroups.com
Hi,

Here are a couple of basic questions that came to me while trying to implement the repository management.
Unfortunately I am not able to find a clear answer to these going through the specification; hence decided to seek advice here.

Questions: 
              1.  In the case of reaching respective expiration of various metadata, they would need re-signing. 
                Do I need to update the version number of those metadata as well while re-signing ? 
                (Especially considering the case of snapshot metadata where the underlying targets metadata it points to may not have even changed)

              2.  While adding a target file, should the expiration of all three metadata (targets, snapshot & timestamp) be updated once again ?

I would appreciate getting some clarity on these points. 

Thank you!

Best Regards,
Milan

Jussi Kukkonen

unread,
Nov 6, 2024, 10:38:35 AM11/6/24
to Milan Satpathy, theupdate...@googlegroups.com
Hi,
some responses inline.

On Wed, Nov 6, 2024 at 11:52 AM 'Milan Satpathy' via The Update Framework (TUF) <theupdate...@googlegroups.com> wrote:
Hi,

Here are a couple of basic questions that came to me while trying to implement the repository management.
Unfortunately I am not able to find a clear answer to these going through the specification; hence decided to seek advice here.

Questions: 
              1.  In the case of reaching respective expiration of various metadata, they would need re-signing. 
                Do I need to update the version number of those metadata as well while re-signing ? 
                (Especially considering the case of snapshot metadata where the underlying targets metadata it points to may not have even changed)


Yes. This becomes obvious when you consider that you need to update the "expires" field anyway to make the metadata valid again -- this changes the "signed" payload so a new version is needed.
 
              2.  While adding a target file, should the expiration of all three metadata (targets, snapshot & timestamp) be updated once again ?

Updating the "expires" field is not necessarily required but it makes sense since you will have to create new versions of all three metadata anyway and might as well try to avoid a re-sign soon in the future.

HTH,
 Jussi
Reply all
Reply to author
Forward
0 new messages