A Framework for Securing Software Update Systems

The Update Framework (TUF) helps developers to secure new or existing software update systems, which are often found to be vulnerable to many known attacks. TUF addresses this widespread problem by providing a comprehensive, flexible security framework that developers can integrate with any software update system. The framework can be easily integrated (or implemented in the native programming languages of these update systems) due to its concise, self-contained architecture and specification. Developers have so far implemented the framework in the Go, Haskell, Python, Ruby, and Rust programming languages.

TUF is hosted by the Cloud Native Computing Foundation (CNCF) and follows the CNCF Code of Conduct.

What is a software update system?

Generally, a software update system is an application (or part of an application) running on a client system that obtains and installs software. This can include updates to software that is already installed or even completely new software.

Three major classes of software update systems are:

Our approach

There are literally thousands of different software update systems in common use today. (In fact the average Windows user has about two dozen different software updaters on their machine!)

We built a specification and library that can be universally (and in most cases transparently) used to secure software update systems.


October 24, 2017

The Cloud Native Computing Foundation announces at Open Source Summit Europe that it was adding TUF as its 14th hosted project. Notary, Docker’s implementation of TUF, was also added at that time.

September 8, 2017

Cloudfare releases PAL, a container identity bootstrapping tool. It is open source and uses Notary, Docker’s implementation of TUF. PAL “confirms that a specific container hash maps to specific metadata like a container’s name and label.”

July 5, 2017

TUF will be featured in DebConf17, an “annual conference for Debian contributors and users interested in improving Debian.” The conference will take place in Montreal, Canada, August 6 - 12, 2017.

July 3, 2017

Dr. Trishank Karthik Kuppusamy defended his dissertation on TUF and Uptane. Congratulations! Work on these projects will continue as Sebastien, Vlad, Justin, and others move forward!

May 10, 2017

Justin Cappos gave a talk on TUF, Uptane, and in-toto at DockerCon 2017.

October 10, 2016

Lily Guo and Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon+ContainerCon Europe 2016. Slides of their talk are available here.

September 22, 2016

TUF now welcomes proposals to extend the specification! For more information, please see TUF Augmentation Proposals (TAPs).

August 24, 2016

Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon North America. Slides of his talk are available here:

February 22, 2016

David Lawrence and Ying Li from Docker are scheduled to present at PyCon 2016. The title of their presentation is: When the going gets tough, get TUF going

February 19, 2016

The Update Framework now has a logo to call its own. Thanks is given to Maria Jose Barrera ( for creating the logo, and to Santiago Torres for making it happen.

February 18, 2016

The camera-ready version of “Diplomat: Using Delegations to Protect Community Repositories” was recently submitted to NSDI 2016. The paper is freely available here on our website.

August 12, 2015

In TUF adoption news… the Docker team announced Docker Content Trust, which integrates TUF via Notary. Docker Content Trust will be available starting with Docker 1.8, and supports image signing and verification. For more information on the Docker + TUF integration, please visit:

How do I learn more?

For more information, look at the following:


Security Issues

Security issues can be reported by emailing

At a minimum, the report must contain the following:

Optionally, reports that are emailed can be encrypted with PGP. You should use PGP key fingerprint E9C0 59EC 0D32 64FA B35F 94AD 465B F9F6 F8EB 475.



Docker Content Trust


LEAP Encryption Access Project



Securing Python package management

Securing Ruby package management

CoreOS App Container Specification

Hackage, Haskell’s Central Package Archive

Signing the OPAM Repository: TUF Meets Git

Other implementations



This material is based upon work supported by the National Science Foundation under Grant No. CNS-1345049 and CNS-0959138. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.