SupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 3. Updating The Update Framework metadata files

By default, The Update Framework (TUF) metadata files expire after 52 weeks from the deployment date of a Securesign instance. At a minimum, you have to update the TUF metadata files at least once every 52 weeks before they expire. Red Hat recommends updating the metadata files more often than once a year.

This procedure walks you through refreshing the root, and non-root metadata files.

Prerequisites

  • Installation of the RHTAS operator running on Red Hat OpenShift Container Platform.
  • A running Securesign instance.
  • A workstation with the oc binary installed.

Procedure

  1. Download the tuftool binary from the OpenShift cluster to your workstation.

    Important

    The tuftool binary is only available for Linux operating systems.

    1. From the home page, click the ? icon, click Command line tools, go to the tuftool download section, and click the link for your platform.

    2. Open a terminal on your workstation, decompress the binary .gz file, and set the execute bit:

      Example

      $ gunzip tuftool-amd64.gz
$ chmod +x tuftool-amd64

    3. Move and rename the binary to a location within your $PATH environment:

      Example

      $ sudo mv tuftool-amd64 /usr/local/bin/tuftool

  2. Log in to OpenShift from the command line:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

  3. Switch to the RHTAS project:

    Example

    $ oc project trusted-artifact-signer

  4. Configure your shell environment:

    Example

    $ export WORK="${HOME}/trustroot-example"
$ export ROOT="${WORK}/root/root.json"
$ export KEYDIR="${WORK}/keys"
$ export INPUT="${WORK}/input"
$ export TUF_REPO="${WORK}/tuf-repo"
$ export TUF_SERVER_POD="$(oc get pod --selector=app.kubernetes.io/component=tuf --no-headers -o custom-columns=":metadata.name")"

$ export TIMESTAMP_EXPIRATION="in 10 days"
$ export SNAPSHOT_EXPIRATION="in 26 weeks"
$ export TARGETS_EXPIRATION="in 26 weeks"
$ export ROOT_EXPIRATION="in 26 weeks"

    Set the expiration durations according to your requirements.

  5. Create a temporary TUF directory structure:

    Example

    $ mkdir -p "${WORK}/root/" "${KEYDIR}" "${INPUT}" "${TUF_REPO}"

  6. Download the TUF contents to the temporary TUF directory structure:

    Example

    $ oc extract --to "${KEYDIR}/" secret/tuf-root-keys
$ oc cp "${TUF_SERVER_POD}:/var/www/html" "${TUF_REPO}"
$ cp "${TUF_REPO}/root.json" "${ROOT}"

  7. You can update the timestamp, snapshot, and targets metadata all in one command:

    Example

    $ tuftool update \
  --root "${ROOT}" \
  --key "${KEYDIR}/timestamp.pem" \
  --key "${KEYDIR}/snapshot.pem" \
  --key "${KEYDIR}/targets.pem" \
  --timestamp-expires "${TIMESTAMP_EXPIRATION}" \
  --snapshot-expires "${SNAPSHOT_EXPIRATION}" \
  --targets-expires "${TARGETS_EXPIRATION}" \
  --outdir "${TUF_REPO}" \
  --metadata-url "file://${TUF_REPO}"

    Note

    You can also run the TUF metadata update on a subset of TUF metadata files. For example, the timestamp.json metadata file expires more often than the other metadata files. Therefore, you can just update the timestamp metadata file by running the following command: 

    $ tuftool update \
  --root "${ROOT}" \
  --key "${KEYDIR}/timestamp.pem" \
  --timestamp-expires "${TIMESTAMP_EXPIRATION}" \
  --outdir "${TUF_REPO}" \
  --metadata-url "file://${TUF_REPO}"

  8. Only update the root expiration date if it is about to expire:

    Example

    $ tuftool root expire "${ROOT}" "${ROOT_EXPIRATION}"

    Note

    You can skip this step if the root file is not close to expiring.

  9. Update the root version:

    Example

    $ tuftool root bump-version "${ROOT}"

  10. Sign the root metadata file again:

    Example

    $ tuftool root sign "${ROOT}" -k "${KEYDIR}/root.pem"

  11. Set the new root version, and copy the root metadata file in place:

    Example

    $ export NEW_ROOT_VERSION=$(cat "${ROOT}" | jq -r ".signed.version")
$ cp "${ROOT}" "${TUF_REPO}/root.json"
$ cp "${ROOT}" "${TUF_REPO}/${NEW_ROOT_VERSION}.root.json"

  12. Upload these changes to the TUF server:

    Example

    $ oc rsync "${TUF_REPO}/" "${TUF_SERVER_POD}:/var/www/html"

Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.