@@ -3,7 +3,7 @@ Title: The Update Framework Specification
33Shortname: TUF
44Status: LS
55Abstract: A framework for securing software update systems.
6- Date: 2022-04-08
6+ Date: 2022-04-28
77Editor: Justin Cappos, NYU
88Editor: Trishank Karthik Kuppusamy, Datadog
99Editor: Joshua Lock, VMware
@@ -16,7 +16,7 @@ Boilerplate: copyright no, conformance no
1616Local Boilerplate: header yes
1717Markup Shorthands: css no, markdown yes
1818Metadata Include: This version off, Abstract off
19- Text Macro: VERSION 1.0.29
19+ Text Macro: VERSION 1.0.30
2020</pre >
2121
2222Note: We strive to make the specification easy to implement, so if you come
@@ -1315,12 +1315,13 @@ it in the next step.
13151315 and report the signature failure.
13161316
131713175 . ** Check for a rollback attack.** The version number of the trusted
1318- root metadata file (version N) MUST be less than or equal to the version
1318+ root metadata file (version N) MUST be less than the version
13191319 number of the new root metadata file (version N+1). Effectively, this means
13201320 checking that the version number signed in the new root metadata file is
1321- indeed N+1. If the version of the new root metadata file is less than the
1322- trusted metadata file, discard it, abort the update cycle, and report the
1323- rollback attack.
1321+ indeed N+1. If the version of the new root metadata file is less than the version
1322+ of the trusted metadata file, discard it, abort the update cycle, and report the
1323+ rollback attack. In case they are equal, again discard the new root metadata, but
1324+ proceed the update cycle with the already trusted root metadata.
13241325
132513266 . Note that the expiration of the new (intermediate) root metadata
13261327 file does not matter yet, because we will check for it in step 5.3.10.
@@ -1361,21 +1362,25 @@ it in the next step.
13611362
136213632 . ** Check for an arbitrary software attack.** The new timestamp
13631364 metadata file MUST have been signed by a threshold of keys specified in the
1364- trusted root metadata file. If the new timestamp metadata file is not
1365+ trusted root metadata file. If the new timestamp metadata file is not
13651366 properly signed, discard it, abort the update cycle, and report the signature
13661367 failure.
13671368
136813693 . ** Check for a rollback attack.**
13691370
13701371 1 . The version number of the trusted timestamp metadata file, if
1371- any, MUST be less than or equal to the version number of the new timestamp
1372- metadata file. If the new timestamp metadata file is older than the
1373- trusted timestamp metadata file, discard it, abort the update cycle, and
1374- report the potential rollback attack.
1372+ any, MUST be less than the version number of the new timestamp
1373+ metadata file. If the new timestamp metadata version is less than the trusted
1374+ timestamp metadata version, discard it, abort the update cycle, and
1375+ report the potential rollback attack. In case they are equal, discard the new
1376+ timestamp metadata and abort the update cycle. This is normal and it
1377+ shouldn't raise any error. The reason for aborting the update process is that
1378+ there shouldn't be any changes in the content of this, or any other metadata
1379+ files too, considering it has the same version as the already trusted one.
13751380
13761381 2 . The version number of the snapshot metadata file in the
13771382 trusted timestamp metadata file, if any, MUST be less than or equal to its
1378- version number in the new timestamp metadata file. If not, discard the new
1383+ version number in the new timestamp metadata file. If not, discard the new
13791384 timestamp metadata file, abort the update cycle, and report the failure.
13801385
138113864 . ** Check for a freeze attack.** The expiration timestamp in the
0 commit comments