sigstore · loosebazooka · Feb 10, 2026
diff --git a/sigstore-java/src/main/java/dev/sigstore/tuf/FileSystemTufStore.java b/sigstore-java/src/main/java/dev/sigstore/tuf/FileSystemTufStore.java
@@ -23,8 +23,6 @@
 import java.io.BufferedWriter;
 import java.io.IOException;
 import java.io.InputStream;
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Optional;
@@ -69,26 +67,22 @@ public String getIdentifier() {
 
   @Override
   public void writeTarget(String targetName, byte[] targetContents) throws IOException {
-    var encoded = URLEncoder.encode(targetName, StandardCharsets.UTF_8);
-    Files.write(targetsDir.resolve(encoded), targetContents);
+    Files.write(targetsDir.resolve(TufNames.encode(targetName)), targetContents);
   }
 
   @Override
   public byte[] readTarget(String targetName) throws IOException {
-    var encoded = URLEncoder.encode(targetName, StandardCharsets.UTF_8);
-    return Files.readAllBytes(targetsDir.resolve(encoded));
+    return Files.readAllBytes(targetsDir.resolve(TufNames.encode(targetName)));
   }
 
   @Override
   public InputStream getTargetInputSteam(String targetName) throws IOException {
-    var encoded = URLEncoder.encode(targetName, StandardCharsets.UTF_8);
-    return Files.newInputStream(targetsDir.resolve(encoded));
+    return Files.newInputStream(targetsDir.resolve(TufNames.encode(targetName)));
   }
 
   @Override
   public boolean hasTarget(String targetName) throws IOException {
-    var encoded = URLEncoder.encode(targetName, StandardCharsets.UTF_8);
-    return Files.isRegularFile(targetsDir.resolve(encoded));
+    return Files.isRegularFile(targetsDir.resolve(TufNames.encode(targetName)));
   }
 
   @Override
@@ -99,23 +93,23 @@ public void writeMeta(String roleName, SignedTufMeta<?> meta) throws IOException
   @Override
   public <T extends SignedTufMeta<?>> Optional<T> readMeta(String roleName, Class<T> tClass)
       throws IOException, JsonParseException {
-    Path roleFile = repoBaseDir.resolve(roleName + ".json");
+    Path roleFile = repoBaseDir.resolve(TufNames.encode(roleName) + ".json");
     if (!roleFile.toFile().exists()) {
       return Optional.empty();
     }
     return Optional.of(GSON.get().fromJson(Files.readString(roleFile), tClass));
   }
 
   <T extends SignedTufMeta<?>> void storeRole(String roleName, T role) throws IOException {
-    try (BufferedWriter fileWriter =
-        Files.newBufferedWriter(repoBaseDir.resolve(roleName + ".json"))) {
+    Path roleFile = repoBaseDir.resolve(TufNames.encode(roleName) + ".json");
+    try (BufferedWriter fileWriter = Files.newBufferedWriter(roleFile)) {
       GSON.get().toJson(role, fileWriter);
     }
   }
 
   @Override
   public void clearMeta(String role) throws IOException {
-    Path metaFile = repoBaseDir.resolve(role + ".json");
+    Path metaFile = repoBaseDir.resolve(TufNames.encode(role) + ".json");
     if (Files.isRegularFile(metaFile)) {
       Files.delete(metaFile);
     }

diff --git a/sigstore-java/src/main/java/dev/sigstore/tuf/MetaFetcher.java b/sigstore-java/src/main/java/dev/sigstore/tuf/MetaFetcher.java
@@ -65,9 +65,10 @@ public <T extends SignedTufMeta<? extends TufMeta>> Optional<MetaFetchResult<T>>
   }
 
   private static String getFileName(String role, @Nullable Integer version) {
+    String encodedRole = TufNames.encode(role);
     return version == null
-        ? role + ".json"
-        : String.format(Locale.ROOT, "%d.%s.json", version, role);
+        ? encodedRole + ".json"
+        : String.format(Locale.ROOT, "%d.%s.json", version, encodedRole);
   }
 
   <T extends SignedTufMeta<? extends TufMeta>> Optional<MetaFetchResult<T>> getMeta(

diff --git a/sigstore-java/src/main/java/dev/sigstore/tuf/SigstoreTufClient.java b/sigstore-java/src/main/java/dev/sigstore/tuf/SigstoreTufClient.java
@@ -26,9 +26,6 @@
 import java.net.URI;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.spec.InvalidKeySpecException;
 import java.time.Duration;
 import java.time.Instant;
 
@@ -149,12 +146,10 @@ public void update() throws SigstoreConfigurationException {
   /** Force an update, ignoring any cache validity. */
   public void forceUpdate() throws SigstoreConfigurationException {
     try {
-      updater.update();
-    } catch (IOException
-        | NoSuchAlgorithmException
-        | InvalidKeySpecException
-        | InvalidKeyException
-        | JsonParseException ex) {
+      updater.refresh();
+      updater.downloadTarget(TRUST_ROOT_FILENAME);
+      updater.downloadTarget(SIGNING_CONFIG_FILENAME);
+    } catch (IOException | JsonParseException ex) {
       throw new SigstoreConfigurationException("TUF repo failed to update", ex);
     }
     lastUpdate = Instant.now();

diff --git a/sigstore-java/src/main/java/dev/sigstore/tuf/TrustedMetaStore.java b/sigstore-java/src/main/java/dev/sigstore/tuf/TrustedMetaStore.java
@@ -110,6 +110,10 @@ public void setTargets(Targets targets) throws IOException {
     metaStore.writeMeta(RootRole.TARGETS, targets);
   }
 
+  public void setTargets(String roleName, Targets targets) throws IOException {
+    metaStore.writeMeta(roleName, targets);
+  }
+
   public Targets getTargets() throws IOException, JsonParseException {
     return getMeta(RootRole.TARGETS, Targets.class);
   }
@@ -118,6 +122,10 @@ public Optional<Targets> findTargets() throws IOException, JsonParseException {
     return metaStore.readMeta(RootRole.TARGETS, Targets.class);
   }
 
+  public Optional<Targets> findTargets(String roleName) throws IOException, JsonParseException {
+    return metaStore.readMeta(roleName, Targets.class);
+  }
+
   public void clearMetaDueToKeyRotation() throws IOException {
     metaStore.clearMeta(RootRole.TIMESTAMP);
     metaStore.clearMeta(RootRole.SNAPSHOT);

diff --git a/sigstore-java/src/main/java/dev/sigstore/tuf/TufNames.java b/sigstore-java/src/main/java/dev/sigstore/tuf/TufNames.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2022 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.tuf;
+
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+
+/** URL-encodes TUF role and target names for safe use in file paths and URLs. */
+public class TufNames {
+
+  private TufNames() {}
+
+  /** URL-encode a name, using %20 for spaces (not +). */
+  public static String encode(String name) {
+    return URLEncoder.encode(name, StandardCharsets.UTF_8).replace("+", "%20");
+  }
+}