Software update distribution mechanisms typically rely on digital signatures for integrity protection. The platform vendor is typically responsible for assembling the various packages into a distribution image that is subsequently signed. The signature and image contents may use a manifest or cryptographic message syntax (e.g., CMS—RFC4108) as a way to describe what is being signed and to represent the signature. Some approaches require distribution of the entire manifest and contents in order that the signature can be verified. Additionally, asymmetric key verify operations may require key revocation checking, implying the need for connectivity to external certificate authority (CA) infrastructure. Also, asymmetric signing based on RSA, DSA, and/or ECDSA may be vulnerable to quantum computing attacks.
Certain open source projects such as Intel® Clear Linux, the Ostro Project, and the Zephyr Project use a scheme for managing the sets of packages and code modules that make up an OS distribution called “bundles.” While it may be possible to use CMS or another form of manifest structure to sign a release bundle, it is often necessary for the installation agent to customize the update according to site-specific policies and preferences. This implies that the update bundle may contain a superset of all possible bundles and packages that could be selected at installation time. Under the Intel Clear Linux approach, each bundle may be obtained separately and dynamically. A manifest signature ensures the integrity of the manifest, which is also used to verify the integrity of individual bundles.