Package release workflow
The diagram below illustrates a generic package release workflow with Rugged TUF signing integrated.
Examples:
sequenceDiagram
participant PP as Packaging
Pipeline
participant FS as Shared
Filesystem(s)
participant TUF as Rugged
CLI
participant TARGETS as Targets
Worker
participant SNAPSHOT as Snapshot
Worker
participant TIMESTAMP as Timestamp
Worker
autonumber
activate PP
PP->>PP: Clone code
rect rgba(0, 255, 255, .1)
note left of FS: <PACKAGE>-<VERSION>.zip
PP->>PP: Build package
PP->>FS: Upload package
activate FS
end
rect rgba(0, 255, 0, .1)
note left of FS: <PACKAGE>.json
PP->>PP: Generate package
metadata
PP->>FS: Upload package metadata
end
PP->>TUF: `rugged add-targets foo/foo.zip foo/package.json [...]`
activate TUF
rect rgba(0, 0, 255, .1)
note right of FS: TUF signing
TUF->>TARGETS: list of target files to sign
activate TARGETS
loop For each target file
FS-->>TARGETS: Read target file
TARGETS->>TARGETS: Update Targets metadata
(with signature of target file)
end
TARGETS->>TARGETS: Sign Targets metadata
TARGETS-->>FS: Write updated Targets metadata
note left of TUF: targets.json
TARGETS->>TUF: Return status message
deactivate TARGETS
TUF->>PP: Print status message
TUF->>SNAPSHOT: Trigger Snapshot update
activate SNAPSHOT
SNAPSHOT->>SNAPSHOT: Update and sign
Snapshot metadata
SNAPSHOT-->>FS: Write updated Snapshot metadata
note left of TUF: snapshot.json
SNAPSHOT->>TUF: Return status message
deactivate SNAPSHOT
TUF->>PP: Print status message
TUF->>TIMESTAMP: Trigger Timestamp update
activate TIMESTAMP
TIMESTAMP->>TIMESTAMP: Update and sign
Timestamp metadata
TIMESTAMP-->>FS: Write updated Timestamp metadata
deactivate FS
note left of TUF: timestamp.json
TIMESTAMP->>TUF: Return status message
deactivate TIMESTAMP
TUF->>PP: Print status message
end
deactivate TUF
deactivate PP