Signature, expiration ,version get changed in all metadata files [except root.json and 1.root.json] when i add new bundle inside the targets

[ritishbhardwaj]

Signature, expiration ,version get changed in all metadata files [except root.json and 1.root.json] when i add new bundle inside the targets using repo_add_bundle. Can i know why is it happening like if the signatures are getting modifying everytime, will this make any side effects while updating on the client side machine where this application is getting installed. [I know that on the client side only root.json is available!!!!]
And why not the version of root.json is getting changed!!!!.
Can i change the version of the root.json in near future?. if yes, then could you provide me reference from where i can know how to do it? And will it change the 1.root.json to 2.root.json or else?
Do i need to concern it before deploying it to the production?

[dennisvang]

Signature, expiration ,version get changed in all metadata files [except root.json and 1.root.json] when i add new bundle inside the targets using repo_add_bundle. Can i know why is it happening like if the signatures are getting modifying everytime, will this make any side effects while updating on the client side machine where this application is getting installed. ...

@ritishbhardwaj This is intentional: it is the way it is supposed to work.

As you can see in your screenshot, the metadata object has a signatures member and a signed member. Every time something inside the signed member changes, that will require a new signature.

Also see #95

... [I know that on the client side only root.json is available!!!!]

The client downloads the latest versions of root.json from your server, together with the other metadata files. See detailed client workflow in the TUF spec.

And why not the version of root.json is getting changed!!!!.

The root.json signed member has not changed, so, as long as it has not expired, it will not need to be re-signed, so the version will not change.

Please refer to the TUF spec where it is all explained in great detail.

Can i change the version of the root.json in near future?. if yes, then could you provide me reference from where i can know how to do it?
And will it change the 1.root.json to 2.root.json or else?
Do i need to concern it before deploying it to the production?

As mentioned in the TUF spec, root.json "specifies trusted keys for the other top-level roles", so it only needs to be changed if you add, change, or remove trusted keys, or if the file has expired.

There's an example of a root key rotation in the repo workflow example file:

tufup/examples/repo/repo_workflow_example.py

Lines 193 to 205 in 4bb16ad

	# Rotate root key (new key is not encrypted, for convenience only)
	new_private_key_path = OFFLINE_DIR_2 / 'root_three'
	repo = Repository.from_config()
	new_public_key_path = repo.keys.create_key_pair(
	private_key_path=new_private_key_path, encrypted=False
	)
	repo.replace_key(
	old_key_name='root_two',
	new_public_key_path=new_public_key_path,
	new_private_key_encrypted=False,
	)
	repo.publish_changes(private_key_dirs=[OFFLINE_DIR_1, OFFLINE_DIR_2, ONLINE_DIR])

Again, it is strongly advised to read the TUF specification to understand how this all works.