### Install tuftool Source: https://github.com/awslabs/tough/blob/develop/tuftool/README.md Install the latest version of tuftool using cargo. Ensure ~/.cargo/bin is in your PATH. ```sh cargo install --force tuftool ``` -------------------------------- ### Build tuftool Docker Image Source: https://github.com/awslabs/tough/blob/develop/tuftool/README.md Build a Docker image for tuftool to avoid local installation of the Rust toolchain. Use Docker or Finch with the provided command. ```sh docker build -t tuftool . ``` -------------------------------- ### Run tuftool in Docker Source: https://github.com/awslabs/tough/blob/develop/tuftool/README.md Execute tuftool commands within a Docker container by mounting the host working directory to /share. This example shows how to mount the current directory for the 'download' command. ```sh docker run -it -v $(pwd):/share tuftool download "/share/some_directory" ... ``` -------------------------------- ### Initialize TUF Repository Source: https://github.com/awslabs/tough/blob/develop/tuftool/README.md Set up a minimal TUF repository by creating a working directory, initializing root.json, setting expiration dates, defining signing thresholds, and generating/adding keys. ```sh export WRK="${HOME}/tuftool-example" mkdir -p "${WRK}" ``` ```sh # we will store our root.json in $WRK/root mkdir "${WRK}/root" # save the path to the root.json we are about to create, we will use it a lot export ROOT="${WRK}/root/root.json" # we will store our signing keys in $WRK/keys mkdir "${WRK}/keys" # instantiate a new root.json tuftool root init "${ROOT}" # set the root file's expiration date tuftool root expire "${ROOT}" 'in 6 weeks' # set the signing threshold for each of the standard signing roles. we are saying # that each of the following roles must have at least 1 valid signature tuftool root set-threshold "${ROOT}" root 1 tuftool root set-threshold "${ROOT}" snapshot 1 tuftool root set-threshold "${ROOT}" targets 1 tuftool root set-threshold "${ROOT}" timestamp 1 # this command both creates the key and adds it to root.json for the root role tuftool root gen-rsa-key "${ROOT}" "${WRK}/keys/root.pem" --role root # for this example we will re-use the same key for the other standard roles tuftool root add-key "${ROOT}" -k "${WRK}/keys/root.pem" --role snapshot tuftool root add-key "${ROOT}" -k "${WRK}/keys/root.pem" --role targets tuftool root add-key "${ROOT}" -k "${WRK}/keys/root.pem" --role timestamp # sign root.json tuftool root sign "${ROOT}" -k "${WRK}/keys/root.pem" ``` -------------------------------- ### Create TUF Repository Source: https://github.com/awslabs/tough/blob/develop/tuftool/README.md Create a TUF repository by adding target files and signing the metadata. This command generates the repository structure in the specified output directory. ```sh # create a directory to hold the targets that we will sign. we call this the # 'input' directory because these are the targets that we want to put into # our TUF repo mkdir -p "${WRK}/input" # create the targets that we want in our TUF repo echo "1" > "${WRK}/input/1.txt" echo "2" > "${WRK}/input/2.txt" # create a tuf repo! tuftool create \ --root "${ROOT}" \ --key "${WRK}/keys/root.pem" \ --add-targets "${WRK}/input" \ --targets-expires 'in 3 weeks' \ --targets-version 1 \ --snapshot-expires 'in 3 weeks' \ --snapshot-version 1 \ --timestamp-expires 'in 1 week' \ --timestamp-version 1 \ --outdir "${WRK}/tuf-repo" ``` ```sh # you can see our signed repository's metadata here: ls "${WRK}/tuf-repo/metadata" # and you can see our signed repository's targets here: ls "${WRK}/tuf-repo/targets" ``` -------------------------------- ### Create a new role named role1 Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md Use this command to create a new role with its own signing key and output directory. Specify the role name, key path, expiration, and version. ```bash tuftool delegation --signing-role role1 create \ --key path/to/role1/key \ --expires in 2 days \ --version 1 \ --outdir role1/destination ``` -------------------------------- ### Create a new role named role2 Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md Similar to creating role1, this command creates a new role named role2 with its own signing key and output directory. ```bash tuftool delegation --signing-role role2 create \ --key path/to/role2/key \ --expires in 2 days \ --version 1 \ --outdir role2/destination` ``` -------------------------------- ### Add a new key to targets for signing role1 Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md Add a new signing key to the 'targets' role that will be used for signing 'role1'. This requires the repository owner's key, the new key's path, expiration, version, and the delegated role name. ```bash tuftool delegation --signing-role targets add-key \ --key path/to/repo/owner/key \ --new-key path/to/new/role1/key \ --expires in 2 days \ --version 63 \ --delegated-role role1 \ --outdir targets/with/extra/role1/key \ --root path/to/root.json \ --metadata-url path/to/metadata ``` -------------------------------- ### Run Unit Tests with Cargo Source: https://github.com/awslabs/tough/blob/develop/tough/README.md Execute unit tests using the standard Cargo command. ```bash cargo test ``` -------------------------------- ### Run All Tests Source: https://github.com/awslabs/tough/blob/develop/tuftool/README.md Run unit tests using 'cargo test'. For integration tests requiring AWS credentials, enable the 'integ' feature flag. ```sh cargo test --features 'integ' # or with a specific AWS profile: AWS_PROFILE=test-profile cargo test --features 'integ' ``` -------------------------------- ### Run All Tests with Cargo (Including Integration) Source: https://github.com/awslabs/tough/blob/develop/tough/README.md Execute all tests, including integration tests, by enabling the 'http' and 'integ' features. ```bash cargo test --all-features ``` ```bash cargo test --features 'http,integ' ``` -------------------------------- ### Download TUF Repository Source: https://github.com/awslabs/tough/blob/develop/tuftool/README.md Download a TUF repository from a specified location using file-based URLs for local repositories. This command is typically used for remote repositories over HTTP/S. ```sh # download tuf repo tuftool download \ --root "${ROOT}" \ -t "file://${WRK}/tuf-repo/targets" \ -m "file://${WRK}/tuf-repo/metadata" \ "${WRK}/tuftool-downlaod" ``` -------------------------------- ### Serialize Data to Canonical JSON Source: https://github.com/awslabs/tough/blob/develop/olpc-cjson/README.md Demonstrates how to use `CanonicalFormatter` with `serde_json::Serializer` to serialize a Rust value into canonical JSON format. The output is compared against an expected byte string. ```rust use olpc_cjson::CanonicalFormatter; use serde::Serialize; use serde_json::json; let value = json!({"b": 12, "a": "qwerty"}); let mut buf = Vec::new(); let mut ser = serde_json::Serializer::with_formatter(&mut buf, CanonicalFormatter::new()); value.serialize(&mut ser).unwrap(); assert_eq!(buf, br#"{"a":"qwerty","b":12}"#); ``` -------------------------------- ### Add role1 to the targets role Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md Delegate a newly created role (e.g., role1) to an existing role (e.g., targets). This command requires the path to the repository owner's key, paths to be associated with the delegated role, expiration, version, and incoming metadata. ```bash tuftool delegation --signing-role targets add-role \ --delegated-role role1 \ --key path/to/repo/owner/key \ --paths foo?.txt \ --expires in 2 days \ --version 61 \ --threshold 1 \ --incoming-metadata role1/destination \ --sign-all \ --outdir metadata/with/role1 \ --root path/to/root.json \ --metadata-url path/to/metadata ``` -------------------------------- ### Add role2 to the role1 role Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md Delegate role2 to role1. This command specifies the delegated role, the key for the signing role (role1), paths, expiration, version, and incoming metadata from role2's destination. ```bash tuftool delegation --signing-role role1 add-role \ --delegated-role role2 \ --key path/to/role1/key \ --paths foo3.txt \ --expires in 2 days \ --version 1 \ --threshold 1 \ --incoming-metadata role2/destination \ --sign-all \ --outdir role1/and/role2/destination \ --root path/to/root.json \ --metadata-url metadata/with/role1 ``` -------------------------------- ### Update repository metadata with new targets metadata Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md After adding a new key to a delegated role, update the repository's metadata. This command ensures the changes, including the new key, are reflected in the snapshot, targets, and timestamp files. ```bash tuftool update \ --key path/to/repo/owner/key \ --snapshot-version 74 \ --snapshot-expires in 3 days \ --targets-version 63 \ --targets-expires in 7 days \ --timestamp-version 593 \ --timestamp-expires in 1 day \ --role targets \ --incoming-metadata targets/with/extra/role1/key \ --outdir metadata/with/updated/role1/keys \ --root path/to/root.json \ --metadata-url path/to/metadata ``` -------------------------------- ### Remove a key from targets for signing role1 Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md Remove a specific key from the 'targets' role that was used for signing 'role1'. This requires the key ID of the key to be removed, along with other standard parameters for delegation. ```bash tuftool delegation --signing-role targets remove-key \ --key path/to/repo/owner/key \ --keyid keyid \ --expires in 2 days \ --version 63 \ --delegated-role role1 \ --outdir targets/with/removed/role1/key \ --root path/to/root.json \ --metadata-url path/to/metadata ``` -------------------------------- ### Update repository metadata after removing a key Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md Update the repository's metadata after removing a key from a delegated role. This ensures the repository's metadata reflects the removal of the specified key. ```bash tuftool update \ --key path/to/repo/owner/key \ --snapshot-version 74 \ --snapshot-expires in 3 days \ --targets-version 63 \ --targets-expires in 7 days \ --timestamp-version 593 \ --timestamp-expires in 1 day \ --role targets \ --incoming-metadata targets/with/removed/role1/key \ --outdir metadata/with/updated/role1/keys \ --root path/to/root.json \ --metadata-url path/to/metadata ``` -------------------------------- ### Update role1 in repository metadata Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md Update the metadata for the repository, specifically for role1. This involves specifying versions and expiration dates for snapshot, targets, and timestamp roles, along with the incoming metadata for role1. ```bash tuftool update \ --key path/to/repo/owner/key \ --snapshot-version 73 \ --snapshot-expires in 3 days \ --targets-version 62 \ --targets-expires in 7 days \ --timestamp-version 592 \ --timestamp-expires in 1 day \ --role role1 \ --incoming-metadata role1/and/role2/destination \ --outdir metadata/with/role1/and/role2 \ --root path/to/root.json \ --metadata-url metadata/with/role1 ``` -------------------------------- ### Remove role1 from targets Source: https://github.com/awslabs/tough/blob/develop/doc/delegated-targets/tuftool-examples.md Remove a delegated role (e.g., role1) from a parent role (e.g., targets). This command requires the signing role, delegated role, repository owner's key, expiration, version, and output directory. ```bash tuftool delegation --signing-role targets remove-role \ --key path/to/repo/owner/key \ --delegated-role role1 \ --expires in 2 days \ --version 63 \ --outdir targets/with/removed/role1/key \ --root path/to/root.json \ --metadata-url path/to/metadata ``` -------------------------------- ### Update TUF Repository Source: https://github.com/awslabs/tough/blob/develop/tuftool/README.md Update an existing TUF repository by modifying target files and re-signing the metadata. This ensures the repository reflects the latest changes. ```sh # Change one of the target files echo "1.1" > "${WRK}/input/1.txt" # update tuf repo! tuftool update \ --root "${ROOT}" \ --key "${WRK}/keys/root.pem" \ --add-targets "${WRK}/input" \ --targets-expires 'in 3 weeks' \ --targets-version 2 \ --snapshot-expires 'in 3 weeks' \ --snapshot-version 2 \ --timestamp-expires 'in 1 week' \ --timestamp-version 2 \ --outdir "${WRK}/tuf-repo" \ --metadata-url file:///$WRK/tuf-repo/metadata ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.