Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 52

update TUF guide for target removals (#14528)

Browse source
This commit is contained in:
Roberto Dip 2023-10-13 09:47:37 -03:00 committed by GitHub
parent 540f8b9657
commit 2003677355
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 60 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
orbit/docs/TUF-Update-Guide.md
View file

@ -189,6 +189,65 @@ aws s3 sync ./repository s3://fleet-tuf-repo --profile tuf
Now that the repository is pushed, verify that the hosts enrolled in step (3) update as expected.
### Removing Unused Targets
If you've inadvertently published a target that is no longer in use, follow these steps to remove it.
### 1. Preparation
1. Backup the remote TUF directory to your local machine.
```sh
mkdir ~/tuf.fleetctl.com/backup
aws s3 sync s3://fleet-tuf-repo ~/tuf.fleetctl.com/backup
```
2. Ensure your local repository mirrors the current state.
```sh
aws s3 sync s3://fleet-tuf-repo ./repository
```
3. You'll need the [`go-tuf`](https://github.com/theupdateframework/go-tuf) binary. The removal operations aren't integrated into `fleetctl` at the moment.
### 2. Local Target Removal
1. Use `tuf remove` to remove the target and update `targets.json`. Substitute `desktop/windows/stable/desktop.exe` with the target you intend to delete.
```sh
tuf remove desktop/windows/stable/desktop.exe
```
2. Snapshot, timestamp, and commit the changes.
```sh
tuf snapshot
tuf timestamp
tuf commit
```
### 3. Verification Before Publishing
1. Confirm that the version of the local `timestamp.json` file is more recent than that of the remote server.
2. Verify the changes that will be synced by running a dry sync. Include the `--delete` flag as you're removing targets.
```sh
aws s3 sync ./repository s3://fleet-tuf-repo --delete --dryrun
```
3. `diff` the local `targets.json` file with its remote version.
### 4. Publish and Confirm
1. To upload the changes, perform a sync without the `--dryrun`.
```sh
aws s3 sync ./repository s3://fleet-tuf-repo --delete
```
2. Check the changes on the remote repository.
### Issues found
#### Invalid timestamp.json version
@ -202,4 +261,4 @@ The following issue was solved by resigning the timestamp metadata `fleetctl upd
## Notes
- "Measure thrice cut once": Steps 3, 4, 5 and 6 allows us to verify the repository is in good shape before pushing to [Fleet's TUF service](tuf.fleetctl.com).
- Steps may look different if the upgrade is performed on a Linux or Windows host.
- Steps may look different if the upgrade is performed on a Linux or Windows host.