ATS Garage aligns with the Uptane security framework. Uptane was developed in response to the clear need for a comprehensive security model for automotive updates, and is the first security system that provides serious compromise resilience in that space[1].

Uptane structure

The most important concept in Uptane is that there are two sets of metadata, from separate sources, that must agree with each other and have valid cryptographic signatures.

The first comes from the TUF Repository[2]. The TUF Repository contains metadata for update packages that are valid install targets, and its metadata is signed by a chain of trust with offline keys.

The second comes from the Director, which controls what updates (selected from the valid install targets) should actually be installed on devices. The Director uses online keys, and is part of the ATS Garage service.

Signing updates of system images

ATS Garage manages the Director for you. When you create an update campaign, we update the Director behind the scenes, signing the metadata for each image-device tuple in the campaign.

The TUF keys should be managed on your side; we provide tooling to help you do just that. When you build a new device, bitbake automatically signs the image for you, using TUF keys that you specify in the build’s local.conf[3]. Your initial key is created by ATS Garage, delivered to you inside your credentials.zip file, and kept online for convenience and bootstrapping; for any production use you should rotate your TUF key and store it securely offline[4].


1. "Uptane is the first compromise-resilient software update security system for the automotive industry.", https://uptane.github.io
2. It’s called the TUF repository because it uses The Update Framework.
3. The TUF keys are packed inside the zip file specified by the SOTA_PACKED_CREDENTIALS line.
4. Proceed with caution! Once you take the key offline, HERE Technologies cannot recover it.