Skip to main content
The manifest file defines an OTA release to the Thistle Update Client. Manifests are typically handled and amended by the Thistle Release Helper or Thistle Control Center. All fields are strings aside from version, which is an unsigned integer.

Example manifest

{
  "comment": "release matching internal commit ab245ef1",
  "id": "01G9CPEVZN3KWEJSDR3YRB6TEY",
  "ts": "1659357610.1366699",
  "version": 1,
  "name": "mymanifest",
  "signature": "dW50cnVzdGVkIGNvbW1lbnQ6IHNpZ25hdHVyZSBmcm9tIHJzaWduIHNlY3JldCBrZXk...",
  "pre_install": null,
  "post_install": null,
  "rootfs": null,
  "files": [{
      "name": "a",
      "install_location": "/opt/application",
      "download_location": "https://xxx.ota.thistlesec.net/8a045f82696d69147e2274492723eabb",
      "hash": "17c7c37227ff424637817217e7155cee1a9a732c59b2798dcceff46722d9992e",
      "pre_install": null,
      "post_install": null
  }],
  "wdek: "[REDACTED]"
}

Manifest fields

NameDescription
nameName of the release
idId of the release (ulid form)
tsTimestamp of last modification (seconds since epoch)
versionCurrent release number
commentFree form comment
signatureSignature of this manifest
pre_installCommand to run before the installation of this manifest. Note: a failure of this script will revert any installed asset
post_installCommand to run after the installation of this manifest. Note: a failure of this script will revert any installed asset
post_rebootCommand to run after rebooting the device following the installation of this manifest. Note: a failure of this script will revert any installed asset and issue another reboot
rootfsRootfs (specified below)
filesArray of files (specified below)
dekA per-OTA-release data encryption key derivation key generated by TRH for OTA bundle encryption and per-file encryption. This field is only available in the manifest sent to TCC during an OTA release, and is not in the manifest fetched by a device.
wdekA wrapped (encrypted) form of the dek, encrypted with the device’s okek so that only the intended device can unwrap it. Unlike dek, this field is present in the manifest fetched by a device and is used by TUC to derive decryption keys for OTA bundle decryption and per-file decryption.

File fields

NameDescription
nameFilename
install_locationInstall destination on device
download_locationDownload source URL
hashHash of the compressed file
pre_installCommand to run before the installation of this file. Note: a failure of this script will revert any installed asset
post_installCommand to run after the installation of this file. Note: a failure of this script will revert any installed asset

Rootfs fields

NameDescription
nameImage name
download_locationDownload source URL
hashHash of the compressed rootfs image
pre_installCommand to run before the installation of this image. Note: a failure of this script will revert any installed asset
post_installCommand to run after the installation of this image. Note: a failure of this script will revert any installed asset

Manual manifest fetching

If you prefer to fetch the update manifest manually, you can do so with the following command. This can be useful if you want to use a customized update client. The ID and Token defined in the command below are the obtained at the end of the device provisioning process. 
$ curl -H "Thistle-Device-ID: $DEVICE_ID" \
     -H "Authorization: Bearer $DEVICE_TOKEN" \
     https://device.thistle.tech/manifest