Fuchsia is a project that constantly gets updates for new features, enhancements, and security fixes. Fuchsia's software update system makes use of The Update Framework (TUF) version 1.0. However, Fuchsia does have some differences from TUF:
Specification version
In a Fuchsia repository, the Fuchsia repository version is listed as a top-level attribute of the target role's signed data. This example shows the format of the specification version:
{
  ...
  "signed": {
    "_type": ROLE,
    "spec_version": "1",
    "custom": {
      "fuchsia_spec_version": <FUCHSIA_SPEC_VERSION>,
  }
  ...
}
Definition of values:
- FUCHSIA_SPEC_VERSION.- INT. The value of the Fuchsia repository specification version. For example,- 1.
Package organization
TUF targets in a Fuchsia repository that address Fuchsia packages contain custom meta data that points to the Package Metadata Archive. This example shows the format for packages:
{
  ...
  "targets": {
    "/PACKAGE_PATH": {
      ...
    }
  ...
  }
}
Definition of values:
- PACKAGE_PATH. The relative path to the package from the repository's base URL.
Merkle root
In the Fuchsia repository, each package target includes the merkle root of the package's meta FAR as a custom attribute. This example shows the format for the merkle root:
{
  ...
  "targets" : {
    PACKAGEPATH : {
      "length" : LENGTH,
      "hashes" : HASHES,
      "custom" : {
        "merkle" : <MERKLE_ROOT>,
        "size" : <BLOB_SIZE>,
      }
    }
    ...
  }
}
Definition of values:
- MERKLE_ROOT.- STRING. The hex string of the merkle root hash of the package's meta FAR.
- BLOB_SIZE.- INT. The size, in bytes, of the unencrypted BLOB identified by the- MERKLE_ROOT.