The Update Framework
Signing an artifact is not enough on its own. You also have to answer harder questions: Is this the latest version, or is someone replaying an old one? Has the metadata expired? Which key is even allowed to vouch for this file? Meshanics answers them with The Update Framework (TUF), a design that splits trust across several roles so that no single compromised key is catastrophic.
The roles
Four roles cooperate to authorize an update:
| Role | Held | Job |
|---|---|---|
| root | offline | The anchor. Names which keys are allowed to act as every other role. |
| targets | offline | Vouches for the actual artifacts, and delegates day-to-day publishing. |
| snapshot | online | Pins a consistent set of metadata versions together. |
| timestamp | online | Freshness — re-signed frequently so devices can detect a frozen repository. |
The root and targets keys are offline: they live on an air-gapped machine and are used only in a deliberate ceremony. Publishing artifacts every day from an air-gapped machine would be impractical, so targets delegates a narrow, terminating slice of the namespace to an online publisher role. A compromise of the online publisher key can therefore only touch that slice, is recoverable by re-delegating from the offline targets role, and can never rewrite the root.
What this defends against
- Tampered bytes. The artifact's length and hash come from signed metadata; altered bytes fail verification.
- Rollback / replay. Versions move forward monotonically; an attacker cannot feed a device an older, vulnerable release and have it accepted.
- Freeze attacks. The timestamp role expires quickly and is refreshed often; a device served a stale repository treats it as a hard failure rather than trusting old data.
- Wrong-key signatures. Every role's keys are bound through the root, so a signature from an unexpected key is rejected.
The anchor on the device
Each device is provisioned with the root metadata as its pinned trust anchor. From there it performs full client-side verification of every update. The device trusts only what it can verify against that anchor — not the server it fetched from, and not the control plane that assigned the update.
See it for yourself
The Trust Center shows these roles live: which keys are offline versus online, their thresholds, and when each role's metadata expires.