This HOWTO describes the process for updating the key threshold for a Rugged deployment after the TUF repo has been initialized and deployed. This applies to either Root metadata keys or the Online keys that sign role metadata.
The basic steps are:
roles.*.rugged initialize-partial-root-metadata-for-update command.rugged show-partial-root-metadata command to observe that the threshold under the roles section is correct.This process requires a complete Key rotation ceremony. The steps below would happen in context of the overall rotation process.
First, simply update your Rugged config (default: /etc/rugged/config.yaml) to reflect the new threshold you want to set:
roles:
root:
threshold: 3
expiry: 31536000 # 365 days
timestamp:
threshold: 1
expiry: 86400 # 1 day
If you are increasing the threshold for either Root keys or Online keys, then you will most likely need to generate new keys to meet the increased threshold.
Ensure you have updated the config to reflect your new thresholds before generating these keys, using the relevant steps (see details).
Next, continue with initializing your n+1.root.json partial root metadata as normal:
rugged initialize-partial-root-metadata-for-update
Finally, verify that the threshold config has been picked up by Rugged:
rugged show-partial-root-metadata
The output should reflect your new threshold:
Retrieved partial Root metadata for version 2 (2.root.json).
=== METADATA ===
Expires in 364 days, 23 hours and 53 minutes
Metadata is not valid for deployment
=== SIGNATURES ===
Signatures: 0 (Does not meet threshold)
Threshold: 3
Ensure that you complete the key
rotation process from here, collecting
signatures from your new threshold of keys, adding them to the n+1.root.json
and deploying your new Root metadata with updated threshold.