Questo contenuto non è disponibile nella lingua selezionata.

Chapter 3. Updating The Update Framework metadata files


By default, The Update Framework (TUF) metadata files expire after 52 weeks from the deployment date of a Securesign instance. At a minimum, you have to update the TUF metadata files at least once every 52 weeks before they expire. Red Hat recommends updating the metadata files more often than once a year.

This procedure walks you through refreshing the root, and non-root metadata files.

Prerequisites

  • Installation of the RHTAS operator running on Red Hat OpenShift Container Platform.
  • A running Securesign instance.
  • A workstation with the oc binary installed.

Procedure

  1. Download the tuftool binary from the OpenShift cluster to your workstation.

    Important

    The tuftool binary is only available for Linux operating systems.

    1. From the home page, click the ? icon, click Command line tools, go to the tuftool download section, and click the link for your platform.
    2. Open a terminal on your workstation, decompress the binary .gz file, and set the execute bit:

      Example

      $ gunzip tuftool-amd64.gz
      $ chmod +x tuftool-amd64

    3. Move and rename the binary to a location within your $PATH environment:

      Example

      $ sudo mv tuftool-amd64 /usr/local/bin/tuftool

  2. Log in to OpenShift from the command line:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

  3. Switch to the RHTAS project:

    Example

    $ oc project trusted-artifact-signer

  4. Configure your shell environment:

    Example

    $ export WORK="${HOME}/trustroot-example"
    $ export ROOT="${WORK}/root/root.json"
    $ export KEYDIR="${WORK}/keys"
    $ export INPUT="${WORK}/input"
    $ export TUF_REPO="${WORK}/tuf-repo"
    $ export TUF_SERVER_POD="$(oc get pod --selector=app.kubernetes.io/component=tuf --no-headers -o custom-columns=":metadata.name")"
    
    $ export TIMESTAMP_EXPIRATION="in 10 days"
    $ export SNAPSHOT_EXPIRATION="in 26 weeks"
    $ export TARGETS_EXPIRATION="in 26 weeks"
    $ export ROOT_EXPIRATION="in 26 weeks"

    Set the expiration durations according to your requirements.

  5. Create a temporary TUF directory structure:

    Example

    $ mkdir -p "${WORK}/root/" "${KEYDIR}" "${INPUT}" "${TUF_REPO}"

  6. Download the TUF contents to the temporary TUF directory structure:

    Example

    $ oc extract --to "${KEYDIR}/" secret/tuf-root-keys
    $ oc cp "${TUF_SERVER_POD}:/var/www/html" "${TUF_REPO}"
    $ cp "${TUF_REPO}/root.json" "${ROOT}"

  7. You can update the timestamp, snapshot, and targets metadata all in one command:

    Example

    $ tuftool update \
      --root "${ROOT}" \
      --key "${KEYDIR}/timestamp.pem" \
      --key "${KEYDIR}/snapshot.pem" \
      --key "${KEYDIR}/targets.pem" \
      --timestamp-expires "${TIMESTAMP_EXPIRATION}" \
      --snapshot-expires "${SNAPSHOT_EXPIRATION}" \
      --targets-expires "${TARGETS_EXPIRATION}" \
      --outdir "${TUF_REPO}" \
      --metadata-url "file://${TUF_REPO}"

    Note

    You can also run the TUF metadata update on a subset of TUF metadata files. For example, the timestamp.json metadata file expires more often than the other metadata files. Therefore, you can just update the timestamp metadata file by running the following command:

    $ tuftool update \
      --root "${ROOT}" \
      --key "${KEYDIR}/timestamp.pem" \
      --timestamp-expires "${TIMESTAMP_EXPIRATION}" \
      --outdir "${TUF_REPO}" \
      --metadata-url "file://${TUF_REPO}"
  8. Only update the root expiration date if it is about to expire:

    Example

    $ tuftool root expire "${ROOT}" "${ROOT_EXPIRATION}"

    Note

    You can skip this step if the root file is not close to expiring.

  9. Update the root version:

    Example

    $ tuftool root bump-version "${ROOT}"

  10. Sign the root metadata file again:

    Example

    $ tuftool root sign "${ROOT}" -k "${KEYDIR}/root.pem"

  11. Set the new root version, and copy the root metadata file in place:

    Example

    $ export NEW_ROOT_VERSION=$(cat "${ROOT}" | jq -r ".signed.version")
    $ cp "${ROOT}" "${TUF_REPO}/root.json"
    $ cp "${ROOT}" "${TUF_REPO}/${NEW_ROOT_VERSION}.root.json"

  12. Upload these changes to the TUF server:

    Example

    $ oc rsync "${TUF_REPO}/" "${TUF_SERVER_POD}:/var/www/html"

Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.