Skip to content

Validate snapshot versions in timestamp, targets versions in snapshot#418

Open
erickt wants to merge 3 commits into
theupdateframework:developfrom
erickt:snapshot
Open

Validate snapshot versions in timestamp, targets versions in snapshot#418
erickt wants to merge 3 commits into
theupdateframework:developfrom
erickt:snapshot

Conversation

@erickt

@erickt erickt commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

This implements:

2.2.1. The version number of the trusted timestamp metadata file, if any, must be less than or equal to the version number of the new timestamp metadata file. If the new timestamp metadata file is older than the trusted timestamp metadata file, discard it, abort the update cycle, and report the potential rollback attack.

3.3.2. The version number of the targets metadata file, and all delegated targets metadata files (if any), in the trusted snapshot metadata file, if any, MUST be less than or equal to its version number in the new snapshot metadata file. Furthermore, any targets metadata filename that was listed in the trusted snapshot metadata file, if any, MUST continue to be listed in the new snapshot metadata file. If any of these conditions are not met, discard the new snapshot metadadata file, abort the update cycle, and report the failure.

Furthermore, it adds tests that:

  • make sure snapshot rollbacks in timestamp are prevented
  • make sure targets rollbacks in snapshot are prevented
  • that trusted target roles cannot be removed from snapshots in a normal update.
  • that we can remove a target role from snapshots with a root roll.

Fixes #294 and #295.

erickt added 3 commits July 7, 2026 13:35
This implements [TUF-1.0.5 §5.3.3.2], which states:

> The version number of the targets metadata file, and all
> delegated targets metadata files (if any), in the trusted snapshot metadata
> file, if any, MUST be less than or equal to its version number in the new
> snapshot metadata file. Furthermore, any targets metadata filename that was
> listed in the trusted snapshot metadata file, if any, MUST continue to be
> listed in the new snapshot metadata file.  If any of these conditions are
> not met, discard the new snapshot metadadata file, abort the update cycle,
> and report the failure.

Furthermore, it adds three tests to:

* make sure rollbacks are prevented
* that trusted target roles cannot be removed in a normal update.
* that we can remove a target role with a root roll.

Fixes theupdateframework#295.

[TUF-1.0.5 §5.3.3.2]: https://github.com/theupdateframework/specification/blob/39c80de07407bd4251ad823976dc4116a4b05043/tuf-spec.md?plain=1#L1210
This implements [TUF-1.0.5 §5.2.2.2], which states:

> The version number of the targets metadata file, and all
> delegated targets metadata files (if any), in the trusted snapshot metadata
> file, if any, MUST be less than or equal to its version number in the new
> snapshot metadata file. Furthermore, any targets metadata filename that was
> listed in the trusted snapshot metadata file, if any, MUST continue to be
> listed in the new snapshot metadata file.  If any of these conditions are
> not met, discard the new snapshot metadadata file, abort the update cycle,
> and report the failure.

Furthermore, it adds three tests to:

* make sure rollbacks are prevented
* that trusted target roles cannot be removed in a normal update.
* that we can remove a target role with a root roll.

Fixes theupdateframework#294.

[TUF-1.0.5 §5.2.2.2]: https://github.com/theupdateframework/specification/blob/39c80de07407bd4251ad823976dc4116a4b05043/tuf-spec.md?plain=1#L1163
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement checking for timestamp rollback of snapshot

1 participant