TUF metadata

Jan 1, 0001

Definition

TUF (The Update Framework) metadata is a set of cryptographically signed files that provide secure and reliable software update mechanisms. It ensures the integrity and authenticity of software updates by using a combination of roles, keys, and signatures to protect against various types of attacks, such as replay, freeze, and mix-and-match attacks. TUF metadata is crucial for maintaining the trustworthiness of software distribution systems by verifying that updates are legitimate and have not been tampered with.

Secure Settings Example

{
  "signed": {
    "_type": "targets",
    "spec_version": "1.0.0",
    "expires": "2024-10-01T12:00:00Z",
    "targets": {
      "app-v1.2.3.tar.gz": {
        "hashes": {
          "sha256": "d6a770ba38583ed4bb4525bd96e50461655d2759"
        },
        "length": 123456
      }
    }
  },
  "signatures": [
    {
      "keyid": "8a8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f",
      "sig": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"
    }
  ]
}

Insecure Settings Example

{
  "signed": {
    "_type": "targets",
    "spec_version": "1.0.0",
    "expires": "2024-10-01T12:00:00Z",
    "targets": {
      "app-v1.2.3.tar.gz": {
        "hashes": {
          "sha256": "incorrecthashvalue"
        },
        "length": 123456
      }
    }
  },
  "signatures": [
    {
      "keyid": "8a8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f",
      "sig": "invalidsignaturevalue"
    }
  ]
}