diff --git a/hack/vendor.sh b/hack/vendor.sh
index 9e0a033d4a..1885ef901b 100755
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@@ -43,7 +43,7 @@ clone git github.com/docker/distribution 20c4b7a1805a52753dfd593ee1cc35558722a0c
 clone git github.com/vbatts/tar-split v0.9.10
 
 clone git github.com/docker/notary 089d8450d8928aa1c58fd03f09cabbde9bcb4590
-clone git github.com/endophage/gotuf 876c31a61bc4aa0dae09bb8ef3946dc26dd04924
+clone git github.com/endophage/gotuf 2df1c8e0a7b7e10ae2113bf37aaa1bf1c1de8cc5
 clone git github.com/jfrazelle/go 6e461eb70cb4187b41a84e9a567d7137bdbe0f16
 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
 
diff --git a/vendor/src/github.com/endophage/gotuf/client/client.go b/vendor/src/github.com/endophage/gotuf/client/client.go
index 532e474789..c0fcf7a830 100644
--- a/vendor/src/github.com/endophage/gotuf/client/client.go
+++ b/vendor/src/github.com/endophage/gotuf/client/client.go
@@ -261,8 +261,7 @@ func (c *Client) downloadTimestamp() error {
 	}
 	// unlike root, targets and snapshot, always try and download timestamps
 	// from remote, only using the cache one if we couldn't reach remote.
-	raw, err := c.remote.GetMeta(role, maxSize)
-	var s *data.Signed
+	raw, s, err := c.downloadSigned(role, maxSize, nil)
 	if err != nil || len(raw) == 0 {
 		if err, ok := err.(store.ErrMetaNotFound); ok {
 			return err
@@ -279,11 +278,6 @@ func (c *Client) downloadTimestamp() error {
 		s = old
 	} else {
 		download = true
-		s = &data.Signed{}
-		err = json.Unmarshal(raw, s)
-		if err != nil {
-			return err
-		}
 	}
 	err = signed.Verify(s, role, version, c.keysDB)
 	if err != nil {
@@ -305,10 +299,13 @@ func (c *Client) downloadTimestamp() error {
 func (c *Client) downloadSnapshot() error {
 	logrus.Debug("downloadSnapshot")
 	role := data.RoleName("snapshot")
+	if c.local.Timestamp == nil {
+		return ErrMissingMeta{role: "snapshot"}
+	}
 	size := c.local.Timestamp.Signed.Meta[role].Length
 	expectedSha256, ok := c.local.Timestamp.Signed.Meta[role].Hashes["sha256"]
 	if !ok {
-		return fmt.Errorf("Sha256 is currently the only hash supported by this client. No Sha256 found for snapshot")
+		return ErrMissingMeta{role: "snapshot"}
 	}
 
 	var download bool
@@ -373,6 +370,9 @@ func (c *Client) downloadSnapshot() error {
 // including delegates roles.
 func (c *Client) downloadTargets(role string) error {
 	role = data.RoleName(role) // this will really only do something for base targets role
+	if c.local.Snapshot == nil {
+		return ErrMissingMeta{role: role}
+	}
 	snap := c.local.Snapshot.Signed
 	root := c.local.Root.Signed
 	r := c.keysDB.GetRole(role)
@@ -398,13 +398,12 @@ func (c *Client) downloadTargets(role string) error {
 }
 
 func (c *Client) downloadSigned(role string, size int64, expectedSha256 []byte) ([]byte, *data.Signed, error) {
-	logrus.Debugf("downloading new %s", role)
 	raw, err := c.remote.GetMeta(role, size)
 	if err != nil {
 		return nil, nil, err
 	}
 	genHash := sha256.Sum256(raw)
-	if !bytes.Equal(genHash[:], expectedSha256) {
+	if expectedSha256 != nil && !bytes.Equal(genHash[:], expectedSha256) {
 		return nil, nil, ErrChecksumMismatch{role: role}
 	}
 	s := &data.Signed{}
@@ -419,11 +418,11 @@ func (c Client) GetTargetsFile(role string, keyIDs []string, snapshotMeta data.F
 	// require role exists in snapshots
 	roleMeta, ok := snapshotMeta[role]
 	if !ok {
-		return nil, fmt.Errorf("Snapshot does not contain target role")
+		return nil, ErrMissingMeta{role: role}
 	}
 	expectedSha256, ok := snapshotMeta[role].Hashes["sha256"]
 	if !ok {
-		return nil, fmt.Errorf("Sha256 is currently the only hash supported by this client. No Sha256 found for targets role %s", role)
+		return nil, ErrMissingMeta{role: role}
 	}
 
 	// try to get meta file from content addressed cache
diff --git a/vendor/src/github.com/endophage/gotuf/client/errors.go b/vendor/src/github.com/endophage/gotuf/client/errors.go
index 311e74a8de..8c8ae527ca 100644
--- a/vendor/src/github.com/endophage/gotuf/client/errors.go
+++ b/vendor/src/github.com/endophage/gotuf/client/errors.go
@@ -18,6 +18,14 @@ func (e ErrChecksumMismatch) Error() string {
 	return fmt.Sprintf("tuf: checksum for %s did not match", e.role)
 }
 
+type ErrMissingMeta struct {
+	role string
+}
+
+func (e ErrMissingMeta) Error() string {
+	return fmt.Sprintf("tuf: sha256 checksum required for %s", e.role)
+}
+
 type ErrMissingRemoteMetadata struct {
 	Name string
 }
diff --git a/vendor/src/github.com/endophage/gotuf/store/httpstore.go b/vendor/src/github.com/endophage/gotuf/store/httpstore.go
index 7304382675..6b69683a8e 100644
--- a/vendor/src/github.com/endophage/gotuf/store/httpstore.go
+++ b/vendor/src/github.com/endophage/gotuf/store/httpstore.go
@@ -99,10 +99,6 @@ func (s HTTPStore) GetMeta(name string, size int64) ([]byte, error) {
 	logrus.Debugf("%d when retrieving metadata for %s", resp.StatusCode, name)
 	b := io.LimitReader(resp.Body, size)
 	body, err := ioutil.ReadAll(b)
-	if resp.ContentLength > 0 && int64(len(body)) < resp.ContentLength {
-		return nil, ErrShortRead{}
-	}
-
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/src/github.com/endophage/gotuf/store/memorystore.go b/vendor/src/github.com/endophage/gotuf/store/memorystore.go
index d32c9a4f3d..3baa576a56 100644
--- a/vendor/src/github.com/endophage/gotuf/store/memorystore.go
+++ b/vendor/src/github.com/endophage/gotuf/store/memorystore.go
@@ -31,7 +31,15 @@ type memoryStore struct {
 }
 
 func (m *memoryStore) GetMeta(name string, size int64) ([]byte, error) {
-	return m.meta[name], nil
+	d, ok := m.meta[name]
+	if ok {
+		if int64(len(d)) < size {
+			return d, nil
+		}
+		return d[:size], nil
+	} else {
+		return nil, ErrMetaNotFound{}
+	}
 }
 
 func (m *memoryStore) SetMeta(name string, meta []byte) error {