add a new UAPI.16 File Manifest spec

poettering · poettering · commit f4a161c0f3b5 · 2026-04-22T13:32:51.000+02:00
diff --git a/specs/file-manifest.md b/specs/file-manifest.md
@@ -0,0 +1,219 @@
+---
+title: UAPI.16 File Manifests
+layout: posts
+version: 1.0
+weight: 6
+aliases:
+- /UAPI.16
+- /16
+---
+
+# UAPI.16 File Manifest
+
+| Version | Changes         |
+|---------|-----------------|
+| 1.0     | Initial Release |
+
+This format stores information about static, immutable data resources that can be acquired and stored on a
+POSIX file system or written to a GPT disk partition.
+
+This manifest file format is inspired by the traditional UNIX `SHA256SUMS` and BSD `mtree(5)` file formats,
+but supersede them in various ways:
+
+1. It allows declaring encoding of data files (i.e. `gzip` compression and suchlike)
+2. It allows referencing remote URLs as source for acquiring file data
+2. It allows inline specification of file data (suitable for short data only)
+3. It allows referencing arbitrary local files as source for acquiring file data
+4. It allows extracting data "slices" from data sources, via offset and range
+5. It may store both encoded and decoded data sizes
+6. Various fields of additional per-file metadata may be defined, including various fields for writing data to GPT partition tables
+7. It's an extensible format permitting vendors and projects to add their own per-file and per-manifest fields.
+
+Among other things, to be generated by mkosi, and consumed by systemd-sysupdate.
+
+## Manifest Object
+
+This is the top-level object for a manifest file. It's designed to be
+extensible and self-identifies as manifest.
+
+```json
+{
+        "mediaType" : "application/vnd.uapi.manifest"
+        "files" : [ … ]
+}
+```
+
+### Notes
+
+The `files` field is just an array of file objects, see below.
+
+We might eventually add additional fields to the manifest, for in-line signatures and similar.
+
+## Files Object
+
+This is an object that encodes information about an individual file.
+
+```json
+{
+        "name" : "…",
+        "dataEncoding" : "gzip"
+        "encodedDataSize" : 2011,
+        "dataSize" : 4711,
+        "dataFile" : "…",
+        "dataUrl" : "http://…"
+        "dataLiteral" : "base64…"
+        "sliceOffset" : 22,
+        "sliceSize" : 33,
+        "sha256" : "…",
+        "gptLabel" : "…",
+        "gptTypeUuid" : "…",
+        "gptFlagNoAuto" : true,
+        "gptFlagGrowFileSystem" : true,
+        "readOnly" : true,
+        "validFromUSec": 4711,
+        "validUntilUSec" : 4711,
+}
+```
+
+### Notes
+
+All fields but `name` are optional.
+
+The `name` must be a valid UTF-8 POSIX filename, may not contain control characters (ASCI 0…31, 127), may not
+contain a slash, and may not be identical to `.`, `..`, ``. It may have a maximum length of 255 bytes.
+
+Only one of `dataFile`, `dataUrl`, `dataLiteral` should be set. dataFile references a file in the same place
+as the manifest, dataUrl a full URL, and dataLiteral inline Base64.
+
+`sliceOffset`, `sliceSize` are apply to the *decoded* data blob. If not specified explicitly should default
+to a zero offset, and a slice size equal to the full decoded size.
+
+`dataSize` is the size of the decoded blob, `encodedDataSize` of the encoded blob. If `dataEncoding` is not
+specified, `encodedDataSize` should not be specified.
+
+`dataEncoding` should use the same encoding specifiers as HTTP.
+
+`sha256Sum` is the SHA256 hash of the specified slice, formatted in 64 hexadecimal characters. Parsers should
+parse this case-insensitively.
+
+The `gpt*` fields encode fields that we need when placing these resources in a GPT partition table.
+
+If `gptLabel` is unspecified, and the data is written to a GPT partition it should use the value of `name` as
+label.
+
+`readOnly` is relevant both for GPT partition table and should be reflected in the 'w' access bit when
+written to a regular file.
+
+`valid*USec` is in µs since UNIX epoch, defines a validity time window of the resource. The data should not
+be accessed or consumed outside of the specified time window. If `validFromUSec` is not specified it should
+default to 0, if `validToUSec` is not specified it should default to infinity.
+
+If neither `dataFile`, nor `dataUrl`, nor `dataLiteral` are specified, the `name` field should be used as
+fallback equivalent to it being repeated in `dataFile`.
+
+`dataLiteral` may be encoded either in regular Base64 or in URL-safe Base64, consumers must be able to deal
+with either.
+
+Additional hash algorithms may be defined in future.
+
+Sizes, offsets, timestamps shall use positive integer JSON numbers, and may use values above 2^52. (This
+means strictly speaking the format cannot be read by JSON parsers which exclusively use 64bit floating point
+for JSON numbers, if there are any files of such excessive sizes. Since it's unlikely that files included in
+a UAPI.16 manifest file are this large this should not be a practical limitation.)
+
+## Relationship to SHA256SUMS
+
+A UAPI manifest file that only uses the fields `name` and `sha256Sum` can be mapped 1:1 to a SHA256SUMS file
+and back.
+
+## Relationship to `mtree(5)`
+
+Manifests following this specification should be mappable 1:1
+[`mtree(5)`](https://man.freebsd.org/cgi/man.cgi?mtree(5)) as long as:
+
+1. Only the `name`, `dataSize`, `sha256` fields are used in the files objects, as per this specification.
+
+2. Only the `size`, `sha256` fields are used in the `mtree(5)` files, as well as `type` is set to
+   `file`. Only regular filenames may be specified as path, i.e. no `/` may be included.
+
+## Acquiring a File Remotely
+
+When acquiring a file listed in a UAPI.16 File Manifest from a web service, the following logic should be
+implemented.
+
+1. If `validFromUSec` is set and greater than the current time, the download should immediately fail.
+2. If `validUntilUSec` is set and lower than the current time, the download should immediately fail.
+3. If `dataLiteral` is set, it should be Base64 decoded, continue in step 7
+4. Otherwise, if `dataUrl` is set, the data from the URL should be acquired, continue in step 7
+5. Otherwise, if `dataFile` is set, the data should be acquired from the same URL as the manifest itself, however with the last component of the URL replaced by the file name encoded in `dataFile`, following the same semantics as HTML relative links. Continue in step 7.
+6. Otherwise, the data should be acquired as in step 3, but the `name` string should be used as file name to suffix the URL with.
+7. If `encodedDataSize` or `dataSize` are set: the size of the downloaded data shall be checked against `encodedDataSize` (if set) or `dataSize` (otherwise).
+8. If `encoding` is set: the downloaded data shall be decoded according to the algorithm indicated in `encoding`.
+9. if `dataSize` is set: the resulting decoded data shall be checked against `dataSize`.
+10. The byte range indicated by `sliceOffset` (if not set: 0) and `sliceSize` (if not set, to the end of the file) shall be extracted from the decoded data.
+11. The hash of the extracted data shall be matched against the hash encoded in `sha256Sum` (if set).
+
+If all these steps succeed the extracted data from step 10 is the result of the operation.
+
+Of course, many of the steps described above should typically be done together rather than serially for
+robustness, efficiency and security reasons. For example, if `encoding` is not used, it is recommended to
+include the `sliceOffset` and `sliceSize` fields in HTTP range request fields already (in order to avoid
+downloading redundant data). Moreover, downloads should fail immediately once the encoded or decoded data
+goes beyond the indicated encoded or decoded data sizes. Then, the decoding should be done on-the-fly while
+the data is downloaded, and the checksum be calculated on-the-fly too.
+
+## Extensibility
+
+Additional fields can be defined freely by implementors. Each such extension field should be named in the
+style of `x<Vendor>Foobar` to minimize risk of conflicts. Example `xAmutableFrobnicator` or
+`xMyProjectWeight`.
+
+
+## Example
+
+```json
+{
+    "mediaType" : "application/vnd.uapi.manifest",
+    "files" : [
+        {
+            "name" : "FooOS.raw",
+            "dataEncoding": "gzip",
+            "encodedDataSize": 5642649603,
+            "dataSize" : 7523532800,
+            "sha256" : "922a9bae0e02b4ffac3e5ed5054230d0689b9c2e25b0178ba82b925f2a0c3e48",
+            "validUntilUSec" : 1776856773123234
+        },
+        {
+            "name" : "FooOS_esp.raw",
+            "dataFile" : "FooOS.raw",
+            "dataEncoding": "gzip",
+            "encodedDataSize": 5642649603,
+            "dataSize" : 7523532800,
+            "sliceOffset" : 2097152,
+            "sliceSize" : 149175808,
+            "gptLabel" : "EFI System Partition",
+            "gptTypeUuid" : "c12a7328-f81f-11d2-ba4b-00a0c93ec93b",
+            "sha256" : "5dcfd837a4868550cc61c256d9567a974e32a20985afa9e100b8b96755a20cae",
+            "validUntilUSec" : 1776856773123234
+        },
+        {
+            "name" : "FooOS_root.raw",
+            "dataFile" : "FooOS.raw",
+            "dataEncoding": "gzip",
+            "encodedDataSize": 5642649603,
+            "dataSize" : 7523532800,
+            "sliceOffset" : 351272960,
+            "sliceSize" : 234003200,
+            "sha256" : "00b70a0813e15f309828d3a36156283cba87576c26755e0b2d4cf0951eff8163",
+            "gptLabel" : "FooOS_root",
+            "gptTypeUuid": "4f68bce3-e8cd-4db1-96e7-fbcaf984b709",
+            "readOnly": true,
+            "validUntilUSec" : 1776856773123234
+        }
+    ]
+}
+```
+
+The above provides three separate files `FooOS.raw`, `FooOS-esp.raw`, `FooOS-root.raw`. The latter two are
+defined as slices of the former, each encapsulating an individual partition. The data file is encoded via
+`gzip`.
