#KEYMASTER: TUF Love: Securing Software Updates with The Update Framework

This KEYMASTER session discusses TUF, an open-source framework for securing software update systems.

Our guest, Fredrik Skogman, is a Staff Engineer on the Package Security Engineering team at GitHub, specializing in software supply chain security. He brings valuable insights to this discussion. Thank you for joining us and sharing your expertise on TUF!


Watch video on YouTube

Here’s a summary of the conversation between Sven Rajala, Keyfactor’s international PKI man of mystery, and Fredrik Skogman.

TUF primarily entrusts the client with security responsibilities, ensuring integrity and authenticity when fetching updates. Various open-source implementations exist in Python (the reference implementation), Go, JavaScript, Java, and Rust.

A key feature of TUF is its M-of-N signature scheme, which enhances security by requiring multiple sign-offs to approve updates, mitigating the risks of compromised keys, and facilitating key rotation. This model strengthens trust, one example is the open-source project Sigstore, where TUF is used to protect and distribute transparency logs and root certificates.

TUF is not designed for air-gapped environments, as it relies on connectivity against the TUF repository to verify updates. However, workarounds exist, such as manual transfers of updated metadata. Compared to Web PKI, TUF provides an alternative way to manage trust roots without requiring root program audits yet provides secure and verifiable root certificate protection mechanisms.

The session also explored two open-source projects that implement TUF:

• RSTUF – suited for ecosystems like package registries (e.g. npm).
• TUF-on-CI – integrates TUF with CI/CD pipelines to automate signing and verification.

TUF supports delegation, allowing different teams or organizations to manage updates independently while maintaining hierarchical trust. This is useful for complex structures like managing separate update channels for internal and external users.

For further learning, Cloud Native Computing Foundation (CNCF) and Open Source Security Foundation (OpenSSF) Slack channels dedicated to TUF and its implementations are recommended.

Read more about The Update Framework (TUF) and Supply Chain Security

• The Update Framework (TUF)
  Slack Channel on CNCF: TUF Slack channel
• TUF-on-CI – A TUF Repository and Signing Tool
  Slack Channel on CNCF: TUF-on-CI Slack channel
• Repository Service for TUF (RSTUF)
  Slack Channel on OpenSSF: RSTUF Slack Channel
• Blog: Securing the Software Supply Chain – Digital Trust in an Untrusting World

About Fredrik Skogman

Fredrik Skogman

Staff Engineer on the Package Security Engineering team at GitHub

Fredrik Skogman is a Staff Engineer on the Package Security Engineering team at GitHub, where he focuses on software supply chain security. At GitHub he provides technical leadership for standards and tools in the supply chain security space, most recently co-authoring the published npm RFC for using Sigstore to bind packages to the originating source. Fredrik is an active maintainer in the Sigstore and TUF projects. As a native Swede, he rides all kinds of bikes, in all kinds of weather.