MokoConsulting/MokoGitea-Fork
1
0
Fork 0
Code Issues 171 Pull Requests Releases 96 Wiki Activity

feat: serve TUF metadata for Joomla update server endpoints #632

New Issue
Closed
opened 2026-06-13 13:47:46 +00:00 by jmiller · 0 comments
jmiller commented 2026-06-13 13:47:46 +00:00
Owner
Copy Link
Copy Source

Problem

Joomla 6 uses TUF (The Update Framework) to validate extension update metadata. MokoGitea's built-in update server serves updates.xml but no TUF metadata files. This causes Joomla 6 to reject updates with:

TUF Debug Message: Remote timestamp metadata expired
Update not possible because the offered update has expired.

Confirmed: /updates.xml serves correctly, but timestamp.json returns 404 at all attempted paths.

Required TUF Files

  • timestamp.json - short-lived, must be auto-refreshed (e.g. hourly)
  • snapshot.json - references current targets version
  • targets.json - lists update packages with hashes/sizes
  • root.json - trust anchor with signing keys

The critical piece is timestamp.json auto-refresh — if it expires, Joomla refuses updates entirely.

Affected

All repos using MokoGitea built-in /updates.xml endpoint (MokoSuiteBackup, MokoJoomHero, MokoOnyx, etc.)

Discovered testing MokoSuiteBackup on waas.dev.mokoconsulting.tech.

## Problem Joomla 6 uses TUF (The Update Framework) to validate extension update metadata. MokoGitea's built-in update server serves `updates.xml` but no TUF metadata files. This causes Joomla 6 to reject updates with: ``` TUF Debug Message: Remote timestamp metadata expired Update not possible because the offered update has expired. ``` Confirmed: `/updates.xml` serves correctly, but `timestamp.json` returns 404 at all attempted paths. ## Required TUF Files - `timestamp.json` - short-lived, must be auto-refreshed (e.g. hourly) - `snapshot.json` - references current targets version - `targets.json` - lists update packages with hashes/sizes - `root.json` - trust anchor with signing keys The critical piece is `timestamp.json` auto-refresh — if it expires, Joomla refuses updates entirely. ## Affected All repos using MokoGitea built-in `/updates.xml` endpoint (MokoSuiteBackup, MokoJoomHero, MokoOnyx, etc.) Discovered testing MokoSuiteBackup on waas.dev.mokoconsulting.tech.
Sign in to join this conversation.
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority Medium
Type Feature
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-Fork#632
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?