Chapter 3. Updating The Update Framework metadata files
By default, The Update Framework (TUF) metadata files expire after 52 weeks from the deployment date of a Securesign instance. At a minimum, you have to update the TUF metadata files at least once every 52 weeks before they expire. Red Hat recommends updating the metadata files more often than once a year.
This procedure walks you through refreshing the root, and non-root metadata files.
Prerequisites
- Installation of the RHTAS operator running on Red Hat OpenShift Container Platform.
- A running Securesign instance.
-
A workstation with the
ocbinary installed.
Procedure
Download the
tuftoolbinary from the OpenShift cluster to your workstation.ImportantThe
tuftoolbinary is only available for Linux operating systems.- From the home page, click the ? icon, click Command line tools, go to the tuftool download section, and click the link for your platform.
Open a terminal on your workstation, decompress the binary
.gzfile, and set the execute bit:Example
$ gunzip tuftool-amd64.gz $ chmod +x tuftool-amd64
Move and rename the binary to a location within your
$PATHenvironment:Example
$ sudo mv tuftool-amd64 /usr/local/bin/tuftool
Log in to OpenShift from the command line:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORT
Example
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
NoteYou can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.
Switch to the RHTAS project:
Example
$ oc project trusted-artifact-signer
Configure your shell environment:
Example
$ export WORK="${HOME}/trustroot-example" $ export ROOT="${WORK}/root/root.json" $ export KEYDIR="${WORK}/keys" $ export INPUT="${WORK}/input" $ export TUF_REPO="${WORK}/tuf-repo" $ export TUF_SERVER_POD="$(oc get pod --selector=app.kubernetes.io/component=tuf --no-headers -o custom-columns=":metadata.name")" $ export TIMESTAMP_EXPIRATION="in 10 days" $ export SNAPSHOT_EXPIRATION="in 26 weeks" $ export TARGETS_EXPIRATION="in 26 weeks" $ export ROOT_EXPIRATION="in 26 weeks"Set the expiration durations according to your requirements.
Create a temporary TUF directory structure:
Example
$ mkdir -p "${WORK}/root/" "${KEYDIR}" "${INPUT}" "${TUF_REPO}"Download the TUF contents to the temporary TUF directory structure:
Example
$ oc extract --to "${KEYDIR}/" secret/tuf-root-keys $ oc cp "${TUF_SERVER_POD}:/var/www/html" "${TUF_REPO}" $ cp "${TUF_REPO}/root.json" "${ROOT}"You can update the timestamp, snapshot, and targets metadata all in one command:
Example
$ tuftool update \ --root "${ROOT}" \ --key "${KEYDIR}/timestamp.pem" \ --key "${KEYDIR}/snapshot.pem" \ --key "${KEYDIR}/targets.pem" \ --timestamp-expires "${TIMESTAMP_EXPIRATION}" \ --snapshot-expires "${SNAPSHOT_EXPIRATION}" \ --targets-expires "${TARGETS_EXPIRATION}" \ --outdir "${TUF_REPO}" \ --metadata-url "file://${TUF_REPO}"NoteYou can also run the TUF metadata update on a subset of TUF metadata files. For example, the
timestamp.jsonmetadata file expires more often than the other metadata files. Therefore, you can just update the timestamp metadata file by running the following command:$ tuftool update \ --root "${ROOT}" \ --key "${KEYDIR}/timestamp.pem" \ --timestamp-expires "${TIMESTAMP_EXPIRATION}" \ --outdir "${TUF_REPO}" \ --metadata-url "file://${TUF_REPO}"Only update the root expiration date if it is about to expire:
Example
$ tuftool root expire "${ROOT}" "${ROOT_EXPIRATION}"NoteYou can skip this step if the root file is not close to expiring.
Update the root version:
Example
$ tuftool root bump-version "${ROOT}"Sign the root metadata file again:
Example
$ tuftool root sign "${ROOT}" -k "${KEYDIR}/root.pem"Set the new root version, and copy the root metadata file in place:
Example
$ export NEW_ROOT_VERSION=$(cat "${ROOT}" | jq -r ".signed.version") $ cp "${ROOT}" "${TUF_REPO}/root.json" $ cp "${ROOT}" "${TUF_REPO}/${NEW_ROOT_VERSION}.root.json"Upload these changes to the TUF server:
Example
$ oc rsync "${TUF_REPO}/" "${TUF_SERVER_POD}:/var/www/html"
