Skip to content

Commit 081e56a

Browse files
lukpuehlukpueh
committed
Clarify snapshot+targets metadata hash check
Update the client workflow to clarify that snapshot metadata hashes can only be checked if timestamp lists the optional hashes, and, similarly, targets metadata hashes can only be checked if snapshot lists the optional hashes.
1 parent d8dcf66 commit 081e56a

File tree

1 file changed

+10
-9
lines changed

1 file changed

+10
-9
lines changed

tuf-spec.md

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1165,10 +1165,10 @@ the timestamp metadata file. In either case, the client MUST write the file to
11651165
non-volatile storage as FILENAME.EXT.
11661166

11671167
* **3.1**. **Check against timestamp metadata.** The hashes and version
1168-
number of the new snapshot metadata file MUST match the hashes and version
1169-
number listed in timestamp metadata. If hashes and version do not match,
1170-
discard the new snapshot metadata, abort the update cycle, and report the
1171-
failure.
1168+
number of the new snapshot metadata file MUST match the hashes (if any) and
1169+
version number listed in the trusted timestamp metadata. If hashes and
1170+
version do not match, discard the new snapshot metadata, abort the update
1171+
cycle, and report the failure.
11721172

11731173
* **3.2**. **Check signatures.** The new snapshot metadata file MUST have
11741174
been signed by a threshold of keys specified in the trusted root metadata
@@ -1213,11 +1213,12 @@ VERSION_NUMBER is the version number of the targets metadata file listed in the
12131213
snapshot metadata file. In either case, the client MUST write the file to
12141214
non-volatile storage as FILENAME.EXT.
12151215

1216-
* **4.1**. **Check against snapshot metadata.** The hashes (if any), and
1217-
version number of the new targets metadata file MUST match the trusted
1218-
snapshot metadata. This is done, in part, to prevent a mix-and-match attack
1219-
by man-in-the-middle attackers. If the new targets metadata file does not
1220-
match, discard it, abort the update cycle, and report the failure.
1216+
* **4.1**. **Check against snapshot metadata.** The hashes and version
1217+
number of the new targets metadata file MUST match the hashes (if any) and
1218+
version number listed in the trusted snapshot metadata. This is done, in
1219+
part, to prevent a mix-and-match attack by man-in-the-middle attackers. If
1220+
the new targets metadata file does not match, discard it, abort the update
1221+
cycle, and report the failure.
12211222

12221223
* **4.2**. **Check for an arbitrary software attack.** The new targets
12231224
metadata file MUST have been signed by a threshold of keys specified in the

0 commit comments

Comments
 (0)