TUF logo

Update Framework

CategoryCloud Computing Standards

The Update Framework (TUF) 1.0 is a specification issued by the Cloud Native Computing Foundation (CNCF) to describe a standard framework for securing software update systems. It outlines a secure method of obtaining trusted files from a central repository and managing crypto-keys.


Specification


Secure Repository Interaction


Trusted File Exchange Mechanism

TUF 1.0 specification describes a framework that can be used to secure new and existing software update systems — package, library or application update managers.

Software update systems have a common behaviour of checking whether updates exist and, when they do exist, downloading the files that are required for the update. TUF framework enables these systems to become protected from all known attacks, including the means to minimize the impact of cryptographic key compromise.

Software applications use the framework to interact with one or more repositories — conceptual sources of target files that are of interest to these applications. When an application uses the framework to interact with multiple repositories, each of them is configured with its own set of security roles and trusted keys.

TUF identifies specific JSON formatted files that contain repository metadata: root, snapshot, targets, timestamp and mirrors. The filenames and the directory structure of target files are completely at the discretion of the application.

TUF framework