I don't understand this part at all. I read Roles and metadata section in TUF website but I still don't understand the process. When / what / how should I sign metadata files?
This is what I do:
Initialize the repository.
Build application with pyinstaller (root.json is also included with the application).
Add bundle to TUF repository.
Start HTTP server to serve repository files.
I change something in the application, update version and build it again.
I add bundle to TUF repository and it creates a patch file.
I start the application built in step 1. I use tufupClient to check for updates on start-up. It does not find any and outputs an error message, for example, "Cannot refresh metadata: root was signed by 0/1 keys". Sometimes it's "timestamp" instead of "root". I tried signing root, targets, timestamp with command tufup sign -e 365 root <path to keystore>. I have no idea when signing should happen and what should I sign.
I don't understand this part at all. I read Roles and metadata section in TUF website but I still don't understand the process. When / what / how should I sign metadata files?
This is what I do:
pyinstaller
(root.json
is also included with the application).tufup
Client
to check for updates on start-up. It does not find any and outputs an error message, for example, "Cannot refresh metadata: root was signed by 0/1 keys". Sometimes it's "timestamp" instead of "root". I tried signingroot
,targets
,timestamp
with commandtufup sign -e 365 root <path to keystore>
. I have no idea when signing should happen and what should I sign.