Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 3. Updating The Update Framework metadata files


By default, The Update Framework (TUF) metadata files expire after 52 weeks from the deployment date of a Securesign instance. At a minimum, you have to update the TUF metadata files at least once every 52 weeks before they expire. Red Hat recommends updating the metadata files more often than once a year.

This procedure walks you through refreshing the root, and non-root metadata files.

Prerequisites

  • Installation of the RHTAS operator running on Red Hat OpenShift Container Platform.
  • A running Securesign instance.
  • A workstation with the oc binary installed.

Procedure

  1. Download the tuftool binary from the OpenShift cluster to your workstation.

    Important

    The tuftool binary is only available for Linux operating systems.

    1. From the home page, click the ? icon, click Command line tools, go to the tuftool download section, and click the link for your platform.
    2. Open a terminal on your workstation, decompress the binary .gz file, and set the execute bit:

      Example

      $ gunzip tuftool-amd64.gz
      $ chmod +x tuftool-amd64

    3. Move and rename the binary to a location within your $PATH environment:

      Example

      $ sudo mv tuftool-amd64 /usr/local/bin/tuftool

  2. Log in to OpenShift from the command line:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

  3. Switch to the RHTAS project:

    Example

    $ oc project trusted-artifact-signer

  4. Configure your shell environment:

    Example

    $ export WORK="${HOME}/trustroot-example"
    $ export ROOT="${WORK}/root/root.json"
    $ export KEYDIR="${WORK}/keys"
    $ export INPUT="${WORK}/input"
    $ export TUF_REPO="${WORK}/tuf-repo"
    $ export TUF_SERVER_POD="$(oc get pod --selector=app.kubernetes.io/component=tuf --no-headers -o custom-columns=":metadata.name")"
    
    $ export TIMESTAMP_EXPIRATION="in 10 days"
    $ export SNAPSHOT_EXPIRATION="in 26 weeks"
    $ export TARGETS_EXPIRATION="in 26 weeks"
    $ export ROOT_EXPIRATION="in 26 weeks"

    Set the expiration durations according to your requirements.

  5. Create a temporary TUF directory structure:

    Example

    $ mkdir -p "${WORK}/root/" "${KEYDIR}" "${INPUT}" "${TUF_REPO}"

  6. Download the TUF contents to the temporary TUF directory structure:

    Example

    $ oc extract --to "${KEYDIR}/" secret/tuf-root-keys
    $ oc cp "${TUF_SERVER_POD}:/var/www/html" "${TUF_REPO}"
    $ cp "${TUF_REPO}/root.json" "${ROOT}"

  7. You can update the timestamp, snapshot, and targets metadata all in one command:

    Example

    $ tuftool update \
      --root "${ROOT}" \
      --key "${KEYDIR}/timestamp.pem" \
      --key "${KEYDIR}/snapshot.pem" \
      --key "${KEYDIR}/targets.pem" \
      --timestamp-expires "${TIMESTAMP_EXPIRATION}" \
      --snapshot-expires "${SNAPSHOT_EXPIRATION}" \
      --targets-expires "${TARGETS_EXPIRATION}" \
      --outdir "${TUF_REPO}" \
      --metadata-url "file://${TUF_REPO}"

    Note

    You can also run the TUF metadata update on a subset of TUF metadata files. For example, the timestamp.json metadata file expires more often than the other metadata files. Therefore, you can just update the timestamp metadata file by running the following command:

    $ tuftool update \
      --root "${ROOT}" \
      --key "${KEYDIR}/timestamp.pem" \
      --timestamp-expires "${TIMESTAMP_EXPIRATION}" \
      --outdir "${TUF_REPO}" \
      --metadata-url "file://${TUF_REPO}"
  8. Only update the root expiration date if it is about to expire:

    Example

    $ tuftool root expire "${ROOT}" "${ROOT_EXPIRATION}"

    Note

    You can skip this step if the root file is not close to expiring.

  9. Update the root version:

    Example

    $ tuftool root bump-version "${ROOT}"

  10. Sign the root metadata file again:

    Example

    $ tuftool root sign "${ROOT}" -k "${KEYDIR}/root.pem"

  11. Set the new root version, and copy the root metadata file in place:

    Example

    $ export NEW_ROOT_VERSION=$(cat "${ROOT}" | jq -r ".signed.version")
    $ cp "${ROOT}" "${TUF_REPO}/root.json"
    $ cp "${ROOT}" "${TUF_REPO}/${NEW_ROOT_VERSION}.root.json"

  12. Upload these changes to the TUF server:

    Example

    $ oc rsync "${TUF_REPO}/" "${TUF_SERVER_POD}:/var/www/html"

Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.