Technology · Ebook
The Update Framework (TUF): Securing Software Updates
by Shriira Press
The Update Framework (TUF) is a framework for securing software update and distribution systems against compromise — protecting the path from publish to install even when keys are stolen or servers are breached. This free book teaches it from the ground up: software-update security threats and why naive signing isn't enough, TUF's core concepts (signed metadata, targets, the chain of trust), the four roles (root, targets, snapshot, timestamp) and why they're separated, the specific attacks TUF defends (rollback, freeze, mix-and-match, key compromise), the client verification workflow, key management with offline keys/thresholds/recovery, delegations for scaling to multi-publisher repositories, TUF in the ecosystem (Notary, Sigstore, package managers), and applying TUF in practice. Ten focused chapters with clear diagrams that show how TUF achieves compromise resilience that naive signing can't.
Contents
- 1Preface
- 2Chapter 1 — What TUF Is
- 3Chapter 2 — Software Update Security Threats
- 4Chapter 3 — Core Concepts: Metadata, Signing, and Trust
- 5Chapter 4 — The Roles
- 6Chapter 5 — Attacks and How TUF Defends Them
- 7Chapter 6 — Client Verification
- 8Chapter 7 — Key Management, Thresholds, and Recovery
- 9Chapter 8 — Delegations
- 10Chapter 9 — TUF in the Ecosystem
- 11Chapter 10 — Applying TUF and Putting It Together