I am trying to install kubedog, but got an error: Error: unable to update tuf meta: tuf: failed to decode timestamp.json: expired at 2021-10-30 09:32:34 +0000 UTC

$ echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile
$ export PATH="$HOME/bin:$PATH"
$ curl -L "https://tuf.trdl.dev/targets/releases/0.1.3/linux-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')/bin/trdl" -o /tmp/trdl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   162  100   162    0     0    177      0 --:--:-- --:--:-- --:--:--   177
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
100 8028k  100 8028k    0     0  3935k      0  0:00:02  0:00:02 --:--:-- 9206k
$ mkdir -p ~/bin
$ install /tmp/trdl ~/bin/trdl
$ trdl add kubedog https://tuf.kubedog.werf.io 1 2cc56abdc649a9699074097ba60206f1299e43b320d6170c40eab552dcb940d9e813a8abf5893ff391d71f0a84b39111ffa6403a3e038b81634a40d29674a531
$ source $(trdl use kubedog 0 stable)
Error: unable to update tuf meta: tuf: failed to decode timestamp.json: expired at 2021-10-30 09:32:34 +0000 UTC
Cleaning up file based variables
00:00
ERROR: Job failed: command terminated with exit code 1

The golang.org/x/crypto/openpgp package does not implement OpenPGP fully. Some algorithms are not supported (e.g., ECC that is offered by default on Mac). This library is frozen and deprecated.

Let's look at actual forks and other alternatives.

rel golang/go#44226

First attempt to add trdl repo failed with timeout error:

$ curl -sSL https://werf.io/install.sh | bash -s -- --ci
[INPUT REQUIRED] Current login shell is "bash". Press ENTER to setup werf for this shell or choose another one.
[b]ash/[z]sh/[a]bort? Default: bash.
[INFO] Skipping trdl installation: already installed in "/home/gitlab-runner/bin/".
[INFO] Adding werf repo to trdl.
Error: unable to init repository "werf" client: unable to download "1.root.json": Get "https://tuf.werf.io/1.root.json": dial tcp 54.38.250.137:443: i/o timeout
[FATAL] Can't add "werf" repo to trdl.
[FATAL] Aborting.
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit status 1

— this process has failed with the error, but there also was a spawned background process, which hanged:

gitlab-+  137033  0.0  0.0   7232  1264 ?        S    03:46   0:00 bash -l
gitlab-+  137036  0.0  0.0   7800  3608 ?        S    03:46   0:00  \_ bash -s -- --ci
gitlab-+  137198  0.0  0.1 719784 10448 ?        Sl   03:46   0:01      \_ /home/gitlab-runner/bin/trdl add werf https://tuf.werf.io/ 1 b7ff6bcbe598e072a86d595a3621924c8612c7e6dc6a82e919abe89707d7e3f468e616b5635630680dd1e98fc362ae5051728406700e6274c5ed1ad92bea52a2

— this process held a file lock.

Next tries to run install script with trdl will always fail with file-lock timeout:

$ curl -sSL https://werf.io/install.sh | bash -s -- --ci
[INPUT REQUIRED] Current login shell is "bash". Press ENTER to setup werf for this shell or choose another one.
[b]ash/[z]sh/[a]bort? Default: bash.
[INFO] Skipping trdl installation: already installed in "/home/gitlab-runner/bin/".
[INFO] Adding werf repo to trdl.
Error: "/home/gitlab-runner/.trdl/.locks/2d478ff12948954c4b93c051a64d7374ee343545587b7059d75d5497bc7f37dc" file lock timeout 30s expired
[FATAL] Can't add "werf" repo to trdl.
[FATAL] Aborting.
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit status 1

It is required to manually kill hanged background process to make trdl work again.

• CLI
• Vault plugin API
• trdl.yaml
• trdl-channels.yaml
• TUF repository file structure

Currently disabled because of issues with logging.

Currently there is no way to specify different metadata and target URLs for the same repository, this means that trdl can't handle repositories such as the Bottlerocket one. For reference this is how the same is handled in tuftool:

VERSION="v1.6.1"
VARIANT="vmware-k8s-1.24"
OVA="bottlerocket-${VARIANT}-x86_64-${VERSION}.ova"
OUTDIR="${VARIANT}-${VERSION}"

tuftool download "${OUTDIR}" --target-name "${OVA}" \
   --root ./root.json \
   --metadata-url "https://updates.bottlerocket.aws/2020-07-07/${VARIANT}/x86_64/" \
   --targets-url "https://updates.bottlerocket.aws/targets/"

• Intro
• Architecture
• Slides
• Benefits
• Easy-to-use
• Problems

Suddenly I've reproduced an error that brought me to the previous one #210.

Now every time I open new terminal I see the following error:

Error: unable to init tuf client: unable to close from file local store: open /Users/golovinps/.trdl/repositories/werf/.meta/002220.ldb: too many open files

What is the proper way of fixing that?

• #78
• #79
• #80

In the section Managing public parts of trusted GPG keys.

• Add Documentation section.
• Move Quickstart, Security and Reference to Documentation.
• Make Documentation/How it works from sections of the Home page.
• Remove all sections except problems and benefits from the Home page.
• Fix styles on the Home page.
• Integrate How it works, Quickstart and Security into Documentation section.

Recently I've got an error which I didn't remember. It was something about "database" and "file limit exceeded". Those time I've just removed folder that was mentioned in the error. Then I reinstalled trdl and now I'm getting the following error:

➜  ~ source $("$HOME/bin/trdl" use werf "1.2" "stable")
Previous run of trdl update in background generated following errors:
WARNING: Self-update failed: unable to update tuf meta: tuf: no root keys found in local meta store

I've looked through the instructions on werf documentation and trdl as well, but didn't found any idea how to fix that.

May be I need to completely remove trdl with all tuf metas and then reinstall trdl. But I don't know all paths that I have to remove. May be uninstallation sequence mentioned somewhere in documentation and I have missed it?

I need your advice, guys. For now each time I open the Terminal I'm getting that warning, its a bit annoying.
Thank you!

P.S. I'm running on MacOS Intel.

A user/attacker can add the same key several times and add the same signature as many times during release and publication.

It is necessary to remove the possibility of restarting a successful release. However, such an opportunity should be for a failed/broken release.

• Divide commands into groups
• Update layout of a command usage
• Update command descriptions

Write a simple shell script to perform release and publsih server operations:

• Create task.
• Wait until task finished.
• Query task logs.