Send the permision of the files
TUF don't sends the permissions of the files (like write, execute, ...). I'm asking their "mailing list":https://groups.google.com/forum/?fromgroups#!topic/theupdateframework/K3Mk4bXcwKU about it. In the worst case we might be able to patch TUF or use tgz instead of the files directly.
In the mailing list they confirmed me that TUF doesn't do that, but patches are welcome. Some ideas they proposed:
At the moment, the TUF metadata does not explicitly include file permissions. However, a simple workaround would be to ship a non-TUF metadata file (that will be signed with TUF, of course) that explicitly lists the permissions of all the other files. I haven't fully thought through the security implications of this method, so I'll let others criticize it.
The "custom" field of "FILEINFO":https://github.com/theupdateframework/tuf/blob/develop/tuf/formats.py#L252-L259 is one place file permissions can be stored. The "code to handle 'custom' data":https://github.com/theupdateframework/tuf/blob/develop/tuf/formats.py#L923-L938 is in place, and all that is required to get it fully implemented is an option to the repository tool.
(from redmine: created on 2014-06-23, closed on 2014-07-02, relates #5863 (closed))