-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spec - 4.4 - Client parses snapshot.json with the length/hash of root.json (but not of other metadata) #14
Comments
@trishankkarthik I have a question about this part of the spec. Since it's not specified anywhere, do clients need to verify that the downloaded metadata matches the hash/size specified in snapshot.json / timestamp.json? |
Hello, @heartsucker! Yes, we really do need to specify this in the TUF specification. I have tried clarifying the precise steps that a client update workflow entails in explaining full verification for Uptane. Even there, a few minor steps are missing. Let me try to recap the "complete" workflow here.
I think I got the basics, though I may have missed something (away at a conference on updates for IoT), so please let me know if you spot a mistake! Even here, some details are missing, such as:
Will expand over time... |
@trishankkarthik Awesome, thanks for the detailed response! |
No problem. Tracking the larger issue of adding more details in the spec in this PR. Let us know if there's anything else we can help with! |
Note: work is on branch |
Currently the internal API requires the hash/length to exist for all metadata. This breaks the spec (but was easy to write for the bootstrap period of this lib).
The text was updated successfully, but these errors were encountered: