trdl is designed to minimize the damage from potential attacks on the release system. The Vault secret manager, the TUF-based repository (The Update Framework), and Git are the three main components that make this possible.
trdl provides a secure channel for delivering releases from the Git repository to the user's host and guarantees the integrity of the release contents.
It protects against Git repository spoofing and compromise. trdl uses Git commits to ensure the integrity of the entire change history, including all metadata and repository content, all the way back to the initial commit.
All operations are confirmed by a quorum of GPG signatures for each commit. The signatures are stored in the Git repository, while the public parts of trusted GPG keys and the list of required signatures are stored in Vault.
trdl protects against rolling back the release channels to previous versions with vulnerabilities. During the update, trdl checks if the last successful commit is related to the current one. As a result, git push --force to a prior signed commit will not work.
trdl manages encryption keys and automatically creates and stores them in Vault. As a result, no one has access to the encryption keys, and no one ever uses them directly.
trdl cannot protect you against threats related to physical access to the host where the trdl-client is installed.
trdl cannot protect you against human errors, e.g., incorrect GPG signature quorum configuration, improper build instructions, and faulty Vault config.