I use tufup package to implement automatic updates for Python application. However, I don't understand signing part at all. I read Roles and metadata section in TUF website but I still don't understand the process. When / what / how should I sign metadata files?
This is what I do:
- Initialize the repository.
- Build application, version 1.0.0, with
pyinstaller(root.jsonis also included with the application). - Add bundle to TUF repository.
- Start HTTP server to serve repository files.
- Change something in the application, update version number and build it again (version 1.0.1).
- Add bundle to TUF repository and it creates a patch file.
- Start the application built in step 1 (version 1.0.0).
I use tufup Client to check for updates on start-up. It does not find
any and outputs an error message, for example, "Cannot refresh
metadata: root was signed by 0/1 keys". Sometimes it's "timestamp"
instead of "root". I tried signing root, targets, timestamp with
command, for example, tufup sign -e 365 root <path to keystore>. I have no idea
when signing should happen and what should I sign.