Sorry for filing an issue about that, I didn't know how to reach out to you to have an informal chat.

I want to use tough to implement TUF-related operations inside of sigstore-rs.
The Sigstore project is using a TUF repository to store some files, like public certs and keys.

My plan would be:

1. Embed a trusted version of the TUF repository (root.json + metadata + targets) inside of the source code of sigstore-rs
2. Check whether there's a new version of the root.json, update to the latest one in a safe way
3. Use the latest trusted root.json, check for updates of repo metadata and targets. Update them to the latest version
4. Fetch the latest files from the TUF repositories

That would be my first steps. Later I'll also handle the case where the repo is also cached on the local disk.

Now, straight to my questions:

• It doesn't seem that tough support updates of its Repository struct. Am I missing something?
• If that's the case, do you plan to implement this feature?

From what I've seen, tough is used by AWS Bottlerocket, how do you deal with upgrades over there? I suspect you have a different use case, since you always download the whole repo, hence you don't need this feature yet. Am I right?

Sorry for the silly questions, I'm just getting familiar with TUF 😅

Embed a trusted version of the TUF repository (root.json + metadata + targets) inside of the source code of sigstore-rs

You should only need to embed the root.json file into your software. Given the metadata targets URL, the tough client will find the metadata files by following the spec. You ship the root.json with the software so that the public keys which form the root of trust are already distributed with the client.

check for updates of repo metadata and targets

The tough library struct does all of this automatically during RepositoryLoader::load! In fact any conforming implementation has to look for and download newer root.json versions if they exist. Also,the timestamp.json file is found at a deterministic URL and this gives the library the entrypoint that it needs to find all the other metadata.

It doesn't seem that tough support updates of its Repository struct.

Do you mean, "how does one edit a Repository"? The Repository is immutable, but you can use the RepositoryEditor to add and remove targets, roles, etc and then re-sign. When you re-sign with the RepositoryEditor, then you have another immutable Repository with signed metadata you can serialize.

Probably the best place to see this in action is in tuftool, for example:

• https://github.com/awslabs/tough/blob/develop/tuftool/src/update_targets.rs
• https://github.com/awslabs/tough/blob/develop/tuftool/src/update.rs
• And here is the editor

  tough/tough/src/editor/mod.rs

  Line 165 in 9a0897c

  pub fn sign(mut self, keys: &[Box<dyn KeySource>]) -> Result<SignedRepository> {

Thanks for the explanation and the tips ❤️

There's one last thing, just to confirm I've understood everything correctly.

I only need to:

• ship a root.json file I trust
• feed that into RepositoryLoader::load, together with the URLs of the metadata & targets
• RepositoryLoader will update root.json from to the latest trusted revision, and then it will download all the metadata + targets

Thanks again!

Yes your understanding is correct.

RepositoryLoader will update root.json from to the latest trusted revision, and then it will download all the metadata + targets

Yes, though I would say it slightly differently: It downloads the latest trusted revision. Trust is maintained by downloading and validating every subsequent version until the latest has been obtained.

Yes, that's exactly what I mean. I just realized my sentence wasn't written clearly at all, sorry about that.

Thanks for the clarifications and your help!