"Releasing Flynn" documentation doesn't work

[alexanderturner]

Hi There,

Trying to push a release without much luck. Having a hard time navigating TUF. Initially, following the TUF root manifest guide yielded the following error:

2017/12/04 09:55:56 error cleaning TUF store: tuf: repository not yet committed

Manually moving staged/root.json to the repository directory (on the TUP repo) had the export_components script work but when trying to deploy the application with flynn-host download I'm getting TUF errors:

INFO[12-04|12:29:59] initializing TUF client
EROR[12-04|12:30:02] error updating TUF client                err="tuf: failed to decode root.json: tuf: valid signatures did not meet threshold"
12:30:02.812034 host.go:166: tuf: failed to decode root.json: tuf: valid signatures did not meet threshold

I should note that I believe that I've correctly configured both CONFIG_IMAGE_REPOSITORY and CONFIG_TUF_ROOT_KEYS in tup.config and built the application before exporting components. I'm having a hard time understanding the "Releasing Flynn" guide as it seems like some parts are missing. Assistance here would be greatly appreciated

[titanous]

Can you please provide a list of steps that you performed that led to this error?

[alexanderturner]

hiya @titanous!

I'll refer to two separate directories here; one being the working Flynn code repo /flynn, the other being the TUF repo /tuf (these paths are relative)

• cd /flynn
• tuf gen-key root
• tree .

.
├── keys
│   └── root.json
├── repository
└── staged
    ├── root.json
    └── targets

amongst all other source

• cd /tuf && tuf init
• cp /flynn/staged/root.json /tuf/staged/root.json

$ tree .
.
├── keys
├── repository
└── staged
    ├── root.json
    └── targets

In the TUF dir

• tuf gen-key targets
• tuf gen-key snapshot
• tuf gen-key timestamp

$ tree .
.
├── keys
│   ├── snapshot.json
│   ├── targets.json
│   └── timestamp.json
├── repository
└── staged
    ├── root.json
    └── targets

• cp /tuf/staged/root.json /flynn/staged/root.json
  root repo
• tuf sign root.json
• cp /flynn/staged/root.json /tuf/staged/root.json
  TUF repo
• tuf root-keys
• Copy root-keys output and set variables in tup.config in /flynn appropriately
  the output of tuf root-keys is identical in both directories at this point

If I leave steps here and attempt to run the script/export-components /tuf script I get the following output:

vagrant@flynn/flynn$ script/export-components /tuf
===> 22:22:13.725 running flynn-builder export
2017/12/06 22:22:14 error cleaning TUF store: tuf: repository not yet committed
vagrant@flynn:/flynn$

I seem to be able to overcome this by either copying the staged root key to the repository directory (in TUF), or committing a file following the go-tuf Add a target file how to. This file is a dummy foo-bar file.

With either process being followed, I'm then uploading the files to an S3 bucket and when running the custom built install script, I'm getting the following error:

INFO[12-04|12:29:59] initializing TUF client
EROR[12-04|12:30:02] error updating TUF client                err="tuf: failed to decode root.json: tuf: valid signatures did not meet threshold"
12:30:02.812034 host.go:166: tuf: failed to decode root.json: tuf: valid signatures did not meet threshold

[lmars]

@alexanderturner the docs were slightly outdated, please follow the updated version in #4299 and let us know if it works.