add a new UAPI.16 File Manifest spec

poettering · poettering · commit 914c9f6b983d · 2026-04-22T16:52:52.000+02:00
diff --git a/specs/file-manifest.md b/specs/file-manifest.md
@@ -0,0 +1,270 @@
+---
+title: UAPI.16 File Manifest
+layout: posts
+version: 1.0
+weight: 6
+aliases:
+- /UAPI.16
+- /16
+---
+
+# UAPI.16 File Manifest
+
+| Version | Changes         |
+|---------|-----------------|
+| 1.0     | Initial Release |
+
+This format stores information about static, immutable data resources that can be acquired over the network
+and stored on a disk.
+
+This manifest file format is inspired by the traditional UNIX `SHA256SUMS` and BSD `mtree(5)` file formats,
+but has a larger set of features:
+
+1. It allows declaring the encoding of data files (i.e. `gzip` compression and suchlike).
+2. It allows referencing remote URLs as source for acquiring file data.
+3. It allows inline specification of file data (suitable for short data only).
+4. It allows referencing arbitrary local files as source for acquiring file data.
+5. It allows extracting data "slices" from data sources, via offset and range.
+6. It may store both encoded and decoded data sizes.
+7. Various fields of additional per-file metadata may be defined, including various fields for GPT partition table metadata.
+8. It's an extensible format permitting vendors and projects to add their own per-file and per-manifest fields.
+
+This format is designed with tools such as `mkosi` and `systemd-sysupdate` in mind, but it's intended to be
+generally useful as a way to describe collections of files that may be acquired over the network or from
+local storage, and verified cryptographically.
+
+## Manifest File Name and Media Type
+
+When stored in a file system directory – alongside the data files it references – the manifest file should be
+named `Uapi16ManifestFile`.
+
+Similarly, when placed on an HTTP server it's a good idea to name the last component of the URL
+`/Uapi16ManifestFile`, however this is just a suggestion in order to minimize surprises and maximize
+discoverability.
+
+When served via an HTTP server it's recommended to use the media type `application/vnd.uapi.16.file.manifest`.
+
+## Manifest Object
+
+This is the top-level object for a manifest file. It's designed to be
+extensible and self-identifies as a manifest.
+
+```json
+{
+        "mediaType" : "application/vnd.uapi.16.file.manifest",
+        "files" : [ … ]
+}
+```
+
+### Notes
+
+The `files` field is an array of file objects, see below.
+
+Files may appear in any order in the manifest, but it's recommended to sort them alphabetically by their name.
+
+The `name` fields of file objects are supposed to be uniquely assigned within each manifest file.
+
+## File Object
+
+This is an object that encodes information about an individual file.
+
+```json
+{
+        "name" : "…",
+        "dataEncoding" : "gzip",
+        "encodedDataSize" : 2011,
+        "dataSize" : 4711,
+        "dataFile" : "…",
+        "dataUrl" : "http://…",
+        "dataLiteral" : "TmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXAsIG5ldmVyIGdvbm5hIGxldCB5b3UgZG93bg==",
+        "sliceOffset" : 22,
+        "sliceSize" : 33,
+        "sha256" : "…",
+        "gptLabel" : "…",
+        "gptTypeUuid" : "…",
+        "gptFlagNoAuto" : true,
+        "gptFlagGrowFileSystem" : true,
+        "readOnly" : true,
+        "validAfterUSec": 4711,
+        "validBeforeUSec" : 4711,
+        "tags" : ["tag1", "tag2", …],
+        "revoked" : false,
+        "steppingStone": false,
+}
+```
+
+### Notes
+
+All fields but `name` are optional. If a field shall not be set it can either be set to `null` or simply
+omitted in the JSON object, both ways shall be considered equivalent.
+
+If not otherwise indicated all fields are supposed to be of type string.
+
+The `name` must be a valid UTF-8 POSIX filename, may not contain control characters (ASCII 0…31, 127), may
+not contain a slash, and may not be identical to "`.`", "`..`", "``" (but may contain these strings). It may
+have a maximum length of 255 bytes. Files whose names do not match these rules cannot be encoded in manifest
+files defined by this specification.
+
+Only one of `dataFile`, `dataUrl`, `dataLiteral` should be set. `dataFile` references a file in the same
+place as the manifest file itself, `dataUrl` a full URL, and `dataLiteral` inline Base64. `dataUrl` may use
+`http://…` and `https://…` schemes only.
+
+`dataSize` is the size of the decoded blob, `encodedDataSize` of the encoded blob. If `dataEncoding` is not
+specified, `encodedDataSize` should not be specified. Both are unsigned integer type.
+
+`dataEncoding` should use the same encoding specifiers as HTTP.
+
+`sliceOffset`, `sliceSize` (unsigned integers) are applied to the *decoded* data blob (i.e. after
+decompression). If not specified explicitly, they should default to a zero offset, and a slice size equal to
+the full decoded size.
+
+`sha256` is the SHA256 hash of the specified slice, formatted in 64 hexadecimal characters. Parsers should
+parse this case-insensitively.
+
+The `gpt*` fields encode fields that we need when placing these resources in a GPT partition table entry. The
+`gptFlag*` fields are of boolean type. The `gptTypeUuid` field takes a UUID in traditional string formatting.
+
+The `gptLabel` field may not be longer than 72 characters. If `gptLabel` is unspecified, and the data is
+written to a GPT partition it should use the value of `name` as label instead. Note that this might require
+mangling, as GPT partition labels have smaller size limits than file names.
+
+`readOnly` (a boolean) is relevant for initializing the read-only bit of GPT partition table entries. It
+should also be reflected in the POSIX 'w' access mode bit when storing the data in a regular file on disk. If
+unspecified, defaults to false.
+
+`valid*USec` is in µs since UNIX epoch UTC, and shall be an unsigned integer. It defines a validity time
+window of the resource. The data should not be accessed or consumed outside of the specified time window. If
+`validAfterUSec` is not specified it should default to 0, if `validBeforeUSec` is not specified it should
+default to the largest supported unsigned integer value.
+
+If neither `dataFile`, nor `dataUrl`, nor `dataLiteral` are specified, the `name` field should be used as
+fallback equivalent to it being repeated in `dataFile`.
+
+`dataLiteral` may be encoded either in regular Base64 or in URL-safe Base64, consumers must be able to deal
+with either.
+
+`tags` is an array of arbitrary usecase-specific strings. This may be used for filtering, for example to
+categorize files in various ways (for example, files could be tagged "unstable", "stable", "lto", to indicate
+stability levels, or similar).
+
+`revoked` is a boolean. If true, the file should not be requested anymore, and if it has been acquired
+before, appropriate steps should be taken to invalidate/remove it from use, if possible (details are
+implementation-specific). If unspecified, defaults to `false`.
+
+`steppingStone` is a boolean, defaulting to `false`. When this manifest file is processed by a software
+update tool, and lists multiple versions of the same resource in individual files, then the update tool
+should ensure that files where this property is set to `true` are never skipped for version updates, and
+installed and activated before considering any later versions of the same resource.
+
+Additional hash algorithms may be defined in future.
+
+Sizes, offsets, timestamps shall use positive integer JSON numbers, and may use values above 2⁵³. (This means
+– strictly speaking – the format cannot be processed losslessly by JSON parsers that exclusively use 64bit
+floating point for JSON numbers, if there are any files of such excessive sizes. Since it's unlikely that
+files included in a UAPI.16 manifest file are this large this should not be a practical limitation.)
+
+## Relationship to SHA256SUMS
+
+A UAPI manifest file that only uses the fields `name` and `sha256` can be mapped 1:1 to a SHA256SUMS file
+and back.
+
+## Relationship to `mtree(5)`
+
+Manifests following this specification should be mappable 1:1 to
+[`mtree(5)`](https://man.freebsd.org/cgi/man.cgi?mtree(5)) as long as:
+
+1. Only the `name`, `dataSize`, `sha256` fields are used in the files objects, as per this specification.
+
+2. Only the `size`, `sha256` fields are used in the `mtree(5)` files, as well as `type` is set to
+   `file`. Only regular filenames may be specified as path, i.e. no `/` may be included.
+
+## Acquiring a File Remotely
+
+When acquiring a file listed in a UAPI.16 File Manifest from a web service, the following logic should be
+implemented.
+
+1. If `revoked` is set to true, the download should immediately fail.
+2. If `validAfterUSec` is set and greater than the current time, the download should immediately fail.
+3. If `validBeforeUSec` is set and lower than the current time, the download should immediately fail.
+4. If `dataLiteral` is set, it should be Base64 decoded, continue in step 8.
+5. Otherwise, if `dataUrl` is set, the data from the URL should be acquired, continue in step 8.
+6. Otherwise, if `dataFile` is set, the data should be acquired from the same URL as the manifest itself, however with the last component of the URL replaced by the file name encoded in `dataFile`, following the same semantics as HTML relative links. Continue in step 8.
+7. Otherwise, the data should be acquired as in step 5, but the `name` string should be used as file name to suffix the URL with.
+8. If `encodedDataSize` or `dataSize` are set: the size of the downloaded data shall be checked against `encodedDataSize` (if set) or `dataSize` (otherwise).
+9. If `dataEncoding` is set: the downloaded data shall be decoded according to the algorithm indicated in `dataEncoding`.
+10. If `dataSize` is set: the resulting decoded data shall be checked against `dataSize`.
+11. The byte range indicated by `sliceOffset` (if not set: 0) and `sliceSize` (if not set, to the end of the file) shall be extracted from the decoded data.
+12. The hash of the extracted data shall be matched against the hash encoded in `sha256` (if set).
+
+If all these steps succeed the extracted data from step 11 is the result of the operation.
+
+Of course, many of the steps described above should typically be done together rather than serially for
+robustness, efficiency and security reasons. For example, if `dataEncoding` is not used, it is recommended to
+include the `sliceOffset` and `sliceSize` fields in HTTP range request fields already (in order to avoid
+downloading redundant data). Moreover, downloads should fail immediately once the encoded or decoded data
+goes beyond the indicated encoded or decoded data sizes. Then, the decoding should be done on-the-fly while
+the data is downloaded, and the checksum should be calculated on-the-fly too.
+
+## Extensibility
+
+Additional fields can be defined freely by implementors. Each such extension field should be named in the
+style of `x<Vendor>Foobar` to minimize risk of conflicts. Example `xAmutableFrobnicator` or
+`xMyProjectWeight`.
+
+## Future Revisions
+
+This specification is intended to be incrementally improved. Additional fields may be defined at any time,
+with additional, optional metadata. Should a breaking change be necessary the media type will be changed.
+
+A number of future extensions are envisioned:
+
+* Inline cryptographic signatures
+
+## Example
+
+```json
+{
+    "mediaType" : "application/vnd.uapi.manifest",
+    "files" : [
+        {
+            "name" : "FooOS.raw",
+            "dataEncoding": "gzip",
+            "encodedDataSize": 5642649603,
+            "dataSize" : 7523532800,
+            "sha256" : "922a9bae0e02b4ffac3e5ed5054230d0689b9c2e25b0178ba82b925f2a0c3e48",
+            "validBeforeUSec" : 1776856773123234
+        },
+        {
+            "name" : "FooOS_esp.raw",
+            "dataFile" : "FooOS.raw",
+            "dataEncoding": "gzip",
+            "encodedDataSize": 5642649603,
+            "dataSize" : 7523532800,
+            "sliceOffset" : 2097152,
+            "sliceSize" : 149175808,
+            "gptLabel" : "EFI System Partition",
+            "gptTypeUuid" : "c12a7328-f81f-11d2-ba4b-00a0c93ec93b",
+            "sha256" : "5dcfd837a4868550cc61c256d9567a974e32a20985afa9e100b8b96755a20cae",
+            "validBeforeUSec" : 1776856773123234
+        },
+        {
+            "name" : "FooOS_root.raw",
+            "dataFile" : "FooOS.raw",
+            "dataEncoding": "gzip",
+            "encodedDataSize": 5642649603,
+            "dataSize" : 7523532800,
+            "sliceOffset" : 351272960,
+            "sliceSize" : 234003200,
+            "sha256" : "00b70a0813e15f309828d3a36156283cba87576c26755e0b2d4cf0951eff8163",
+            "gptLabel" : "FooOS_root",
+            "gptTypeUuid": "4f68bce3-e8cd-4db1-96e7-fbcaf984b709",
+            "readOnly": true,
+            "validBeforeUSec" : 1776856773123234
+        }
+    ]
+}
+```
+
+The above provides three separate files `FooOS.raw`, `FooOS-esp.raw`, `FooOS-root.raw`. The latter two are
+defined as slices of the former, each encapsulating an individual partition. The data file is encoded via
+`gzip`.
