### Python-TUF Installation Guide Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/index.rst Instructions on how to install the Python-TUF library, essential for developers looking to integrate TUF into their projects. ```APIDOC INSTALLATION Instructions on how to install the Python-TUF library, essential for developers looking to integrate TUF into their projects. ``` -------------------------------- ### Run TUF Repository Application Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/repository/README.md Executes the TUF repository application. The repository will be accessible on localhost, port 8001, serving metadata and targets. This command starts the simulated live repository. ```console ./repo ``` -------------------------------- ### Example Repository Implementation (Git) Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/repository-library-design.md A concrete example of a repository implementation, such as one interacting with a Git repository, should be provided. This serves as a demonstration and potential starting point for users. ```python import git class GitRepository: def __init__(self, repo_path): self.repo = git.Repo(repo_path) def commit_metadata(self, message): self.repo.index.commit(message) def push(self): origin = self.repo.remote(name='origin') origin.push() ``` -------------------------------- ### Python-TUF Repository Examples Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/README.md Examples demonstrating how to manage repositories using the Python-TUF library. This includes creating, loading, and modifying repository metadata. ```python # Example for repository usage # Refer to the 'repository' documentation for details. ``` -------------------------------- ### Python-TUF Client Examples Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/README.md Examples showing how to use the Python-TUF client to download and verify metadata and targets. This covers common client operations. ```python # Example for client usage # Refer to the 'client' documentation for details. ``` -------------------------------- ### TUF Uploader Tool Usage Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/uploader/README.md Demonstrates the command-line usage of the TUF Uploader Tool for initialization, claiming delegations, and adding target files. This involves interacting with a running repository example. ```console # Initialize with Trust-On-First-Use ./uploader tofu # Then claim a delegation for yourself (this also creates a new signing key): ./uploader add-delegation myrole # Then add a new downloadable target file to your delegated role (to keep the # example simple, the target file content is always the targetpath): ./uploader add-target myrole myrole/mytargetfile ``` -------------------------------- ### Install Python-TUF Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/INSTALLATION.rst Installs the 'tuf' package from PyPI using pip. This is the basic installation. ```bash python3 -m pip install tuf ``` -------------------------------- ### Python-TUF Uploader Tool Examples Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/README.md Examples for using the Python-TUF uploader tool, which facilitates uploading targets and metadata to a repository. ```python # Example for uploader tool usage # Refer to the 'uploader' documentation for details. ``` -------------------------------- ### Install Python-TUF for Development Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/INSTALLATION.rst Installs the 'tuf' library in editable mode with development dependencies. This requires cloning the repository first. ```bash python3 -m pip install -r requirements/dev.txt ``` -------------------------------- ### Initialize TUF Client (TOFU) Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/client/README.md Initializes the TUF client using the Trust-On-First-Use (TOFU) mechanism. This is typically done on the first use of a repository. ```console ./client tofu ``` -------------------------------- ### Initialize TUF Client with URL (TOFU) Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/client/README.md Initializes the TUF client using TOFU for a repository located at a specific URL. ```console ./client --url https://jku.github.io/tuf-demo tofu ``` -------------------------------- ### Python-TUF Usage Examples Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/index.rst Provides practical examples of how to use the Python-TUF library, demonstrating its capabilities and common use cases for developers. ```APIDOC Usage examples Provides practical examples of how to use the Python-TUF library, demonstrating its capabilities and common use cases for developers. ``` -------------------------------- ### Download Target File Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/client/README.md Downloads a specified target file from the configured TUF repository. ```console ./client download file1.txt ``` -------------------------------- ### Install Sphinx and Documentation Theme Source: https://github.com/theupdateframework/python-tuf/blob/develop/requirements/docs.txt Installs Sphinx, a documentation generator, and the 'sphinx-rtd-theme' for a Read the Docs-like appearance. These are essential for building the project's documentation. ```shell pip install sphinx sphinx-rtd-theme ``` -------------------------------- ### Python-TUF Low-level Metadata API Examples Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/README.md Examples demonstrating the low-level metadata API for Python-TUF, providing granular control over metadata operations. ```python # Example for low-level metadata API # Refer to the 'manual_repo' documentation for details. ``` -------------------------------- ### Download Target File from URL Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/client/README.md Downloads a specified target file from a TUF repository located at a specific URL. ```console ./client --url https://jku.github.io/tuf-demo download demo/succinctly-delegated-1.txt ``` -------------------------------- ### Install Python-TUF with Full Cryptographic Abilities Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/INSTALLATION.rst Installs 'tuf' along with 'securesystemslib' and its crypto extras for enhanced cryptographic operations, such as key and signature generation. ```bash python3 -m pip install securesystemslib[crypto] tuf ``` -------------------------------- ### GitRepository Example Implementation Details Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/repository-library-design.md Outlines design decisions and characteristics of the example GitRepository implementation for python-tuf, focusing on metadata storage, versioning, and file management. ```APIDOC GitRepository: Metadata Storage: - Stored in files within git. - Filenames allow serving metadata directory over HTTP. Version Bumping: - Based on git status (staging area edits bump version once). Current Version Loading: - Determined by filenames on disk. File Management: - Files removed when no longer part of the snapshot. Expiry Times: - Decided based on application-specific metadata fields. Private Key Storage: - Can be stored in files or environment variables (for CI). ``` -------------------------------- ### Python Style Guide Adherence Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/adr/0005-use-google-python-style-guide.md This section outlines the project's commitment to following the Google Python Style Guide. It details the rationale behind this decision, including the guide's comprehensiveness, alignment with PEP-8, and tooling support. It also mentions the existence of a slim document with additional refinements for specific project needs. ```python # Follow existing style when working on existing code (files) # Follow new style in any new code (files) # Consider providing linter and formatter configuration (e.g. pylint, flake8, black, yapf) to enforce and facilitate new style ``` -------------------------------- ### Verify Release Signature with GPG Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/INSTALLATION.rst Demonstrates how to download a release artifact and its signature from GitHub, import the public key, and verify the signature using GPG. This process ensures the integrity of the downloaded distribution. ```bash # Get wheel from PyPI and signature from GitHub python3 -m pip download --no-deps tuf==0.20.0 wget https://github.com/theupdateframework/python-tuf/releases/download/v0.20.0/tuf-0.20.0-py3-none-any.whl.asc # Get public key, compare fingerprint in MAINTAINERS.txt, and verify with gpg gpg --recv-keys 89A2AD3C07D962E8 gpg --verify tuf-0.20.0-py3-none-any.whl.asc # Output: # gpg: assuming signed data in 'tuf-0.20.0-py3-none-any.whl' # gpg: Signature made Thu Dec 16 09:21:38 2021 CET # gpg: using RSA key 8BA69B87D43BE294F23E812089A2AD3C07D962E8 # gpg: Good signature from "Lukas Pühringer " [ultimate] ``` -------------------------------- ### Install Pinned TUF Runtime Dependencies Source: https://github.com/theupdateframework/python-tuf/blob/develop/requirements/docs.txt Installs the pinned runtime dependencies for TUF from the 'pinned.txt' file. This ensures that the project uses specific, tested versions of its core dependencies, which should auto-update and trigger CI/CD pipelines. ```shell pip install -r pinned.txt ``` -------------------------------- ### Python-TUF Contribution Guide Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/index.rst Information for developers interested in contributing to the Python-TUF project, outlining guidelines and procedures. ```APIDOC CONTRIBUTING Information for developers interested in contributing to the Python-TUF project, outlining guidelines and procedures. ``` -------------------------------- ### TUF Repository API Documentation Source: https://github.com/theupdateframework/python-tuf/blob/develop/examples/repository/README.md Provides API endpoints for interacting with the TUF repository. These endpoints allow for uploading new metadata for roles and managing delegations, including key management. ```APIDOC API POST endpoints: /api/role/: Description: Uploads new delegated targets metadata for a specified role. Payload: New version of ROLEs metadata. /api/delegation/: Description: Modifies or creates a delegation for a specified role. Payload: A dictionary with one keyid:Key pair. ``` -------------------------------- ### Run Full Test Suite with Tox Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/CONTRIBUTING.rst Executes the entire test suite for python-tuf within separate virtual environments for each supported Python version. Tox automatically handles the installation of dependencies. ```shell tox ``` -------------------------------- ### Python-TUF API Overview Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/api/api-reference.rst Provides an overview of the two main APIs in the Python-TUF project: the low-level tuf.api for metadata abstraction and the high-level tuf.ngclient for client update workflows. It also links to example code. ```APIDOC TUF APIs: 1. tuf.api: - Low-level API for metadata file abstraction. - Handles de/serialization to/from files. - Focuses on individual Metadata pieces. - Does not include concepts like 'repository' or 'update workflow'. 2. tuf.ngclient: - High-level API for client update workflow. - Provides ways to query and download target files securely. - Handles TUF update workflow behind the scenes. - Implemented on top of the Metadata API. Code examples are available at: https://github.com/theupdateframework/python-tuf/tree/develop/examples ``` -------------------------------- ### Run Tests and Measure Coverage Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/CONTRIBUTING.rst Runs the tests and measures code coverage using the 'coverage' tool. Ensure 'coverage' is installed (e.g., via pip) before running this command. ```shell coverage run -m unittest ``` -------------------------------- ### Ergonomic Metadata Editing Example Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/repository-library-design.md Demonstrates a simple way to add a key to a role within the 'targets' metadata using a context manager. This pattern abstracts the complexities of loading, editing, and persisting metadata, including version and expiry updates. ```python with repository.edit("targets") as targets: # adds a key for role1 (as an example, arbitrary edits are allowed) targets.add_key(key, "role1") ``` -------------------------------- ### TUF Specification Conformance Source: https://github.com/theupdateframework/python-tuf/blob/develop/README.md This Python implementation aims to conform to version 1.0 of the TUF specification. It serves as a guide for implementing TUF in other languages and environments. ```APIDOC TUF Specification Conformance: Version: 1.0 Reference Implementation: python-tuf Goal: Provide a guide for cross-language TUF implementations. ``` -------------------------------- ### Import Yubikey for Signing Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/_posts/2023-01-24-securesystemslib-signer-api.md Imports a hardware security module (HSM) key, specifically a Yubikey, and stores its URI in the application's configuration. This function prompts the user to insert the key and returns the imported `Key` object. ```python from configparser import ConfigParser from tuf.api.metadata import Metadata from tuf.api.key import Key from tuf.api.signer import Signer from tuf.hsm import HSMSigner def import_yubikey(config: ConfigParser) -> Key: input("Insert your HW key and press enter") uri, key = HSMSigner.import_() # store the uri in application configuration config["keyring"][key.keyid] = uri return key ``` -------------------------------- ### TUF Client Configuration Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/api/tuf.ngclient.config.rst This section details the configuration options available for the TUF client, managed by the tuf.ngclient.config module. It covers initialization, setting repository paths, and other client-specific settings. ```APIDOC tuf.ngclient.config: __init__(repository_dir: str, tuf_data_dir: str = None) Initializes the TUF client configuration. Parameters: repository_dir: The directory where the TUF repository metadata is stored. tuf_data_dir: Optional directory for storing TUF-related data. Defaults to a system-specific location if not provided. set_repository_dir(repository_dir: str) Sets the directory for the TUF repository. Parameters: repository_dir: The new directory path for the repository. get_repository_dir() -> str Retrieves the current TUF repository directory. Returns: The path to the TUF repository directory. set_tuf_data_dir(tuf_data_dir: str) Sets the directory for storing TUF data. Parameters: tuf_data_dir: The new directory path for TUF data. get_tuf_data_dir() -> str Retrieves the current TUF data directory. Returns: The path to the TUF data directory. set_log_dir(log_dir: str) Sets the directory for logging TUF operations. Parameters: log_dir: The directory path for logs. get_log_dir() -> str Retrieves the current log directory. Returns: The path to the log directory. set_log_level(level: str) Sets the logging level for TUF operations. Parameters: level: The logging level (e.g., 'DEBUG', 'INFO', 'WARNING', 'ERROR'). get_log_level() -> str Retrieves the current logging level. Returns: The current logging level. set_metadata_refresh_interval(interval: int) Sets the interval (in seconds) for refreshing metadata. Parameters: interval: The refresh interval in seconds. get_metadata_refresh_interval() -> int Retrieves the metadata refresh interval. Returns: The refresh interval in seconds. set_max_root_file_size(size: int) Sets the maximum allowed size for root metadata files. Parameters: size: The maximum size in bytes. get_max_root_file_size() -> int Retrieves the maximum root file size. Returns: The maximum size in bytes. ``` -------------------------------- ### TUF Runtime Dependencies Source: https://github.com/theupdateframework/python-tuf/blob/develop/requirements/main.txt Specifies the core runtime dependencies for the TUF project, including securesystemslib with cryptographic extensions and the urllib3 library. This setup is used with pip-compile to generate a fully pinned requirements file. ```python securesystemslib[crypto] urllib3 ``` -------------------------------- ### Project Build, Test, and Lint Targets Source: https://github.com/theupdateframework/python-tuf/blob/develop/requirements/dev.txt Specifies the files used for building, testing, and linting the Python-TUF project. These are typically used by build tools or scripts. ```shell -r build.txt -r test.txt -r lint.txt ``` -------------------------------- ### Sign Metadata with Yubikey Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/_posts/2023-01-24-securesystemslib-signer-api.md Signs a given metadata object (`md`) using a private key associated with a Yubikey. It retrieves the key's URI from the configuration and creates a `Signer` instance to perform the signing operation. ```python from configparser import ConfigParser from tuf.api.metadata import Metadata from tuf.api.key import Key from tuf.api.signer import Signer def sign_local(md: Metadata, key: Key, config: ConfigParser) -> None: uri = config["keyring"][key.keyid] signer = Signer.from_priv_key_uri(uri, key) md.sign(signer) ``` -------------------------------- ### Separated Serialization Interface Example (Option 3) Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/adr/0006-where-to-implemenent-model-serialization.md Presents serialization implemented independently of metadata classes using an abstract `Serializer` interface. This provides complete decoupling and a clear blueprint for custom implementations but requires reimplementing the class hierarchy. ```python from abc import ABC, abstractmethod class Serializer(ABC): @abstractmethod def serialize(self, metadata_object): pass class JsonSerializer(Serializer): def serialize(self, metadata_object): """Serializes metadata using JSON.""" # JSON serialization logic pass class YamlSerializer(Serializer): def serialize(self, metadata_object): """Serializes metadata using YAML.""" # YAML serialization logic pass # Usage: # json_serializer = JsonSerializer() # serialized_data = json_serializer.serialize(my_metadata_object) ``` -------------------------------- ### Securesystemslib Signer and Key Classes Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/_posts/2023-01-24-securesystemslib-signer-api.md Defines the core components of the new signing API: Signer and Key classes. These facilitate dynamic dispatch and management of private key URIs for various signing technologies. ```APIDOC securesystemslib.signer.Signer: __init__(private_key_uri: str, key: Key) Initializes a Signer with a private key URI and associated Key object. private_key_uri: A URI identifying the signing technology and private key. key: The Key object containing public key information. from_priv_key_uri(uri: str, key: Key) -> Signer Factory method to create a Signer instance from a private key URI and Key object. Handles dynamic dispatch based on the URI scheme. securesystemslib.signer.Key: __init__(keytype: str, keyval: dict, signature: dict = None, unrecognized_fields: dict = None) Initializes a Key object. keytype: The type of the key (e.g., 'rsa', 'ed25519'). keyval: A dictionary containing the key material. signature: Optional signature information. unrecognized_fields: Optional dictionary for custom fields like 'x-online-uri'. ``` -------------------------------- ### Metadata Subclass Serialization Example (Option 2) Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/adr/0006-where-to-implemenent-model-serialization.md Demonstrates serialization logic moved to metadata subclasses, like `JsonMetadata.serialize()`. This decouples wire formats from base classes but requires users to pre-select serialization types and can lead to extensive subclassing. ```python class BaseMetadata: # ... base metadata attributes ... pass class JsonMetadata(BaseMetadata): def serialize(self): """Serializes metadata using JSON.""" # JSON serialization logic pass class YamlMetadata(BaseMetadata): def serialize(self): """Serializes metadata using YAML.""" # YAML serialization logic pass ``` -------------------------------- ### Metadata Class Serialization Example (Option 1) Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/adr/0006-where-to-implemenent-model-serialization.md Illustrates serialization implemented directly within metadata classes, such as a `Metadata.serialize_as_json()` method. This approach offers encapsulation but can lead to complexities with inheritance and may incorrectly imply TUF is limited to JSON. ```python class Metadata: # ... other metadata attributes and methods ... def serialize_as_json(self): """Serializes the metadata object to a JSON string.""" # Implementation details for JSON serialization pass def serialize_as_yaml(self): """Serializes the metadata object to a YAML string.""" # Implementation details for YAML serialization pass ``` -------------------------------- ### Repository API and Key Management Abstraction Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/repository-library-design.md The Repository API is designed to facilitate efficient editing of individual metadata files. It should include a keyring abstraction for managing private keys used by different roles. Implementations may provide concrete examples of this abstraction. ```python class Repository: def __init__(self, keyring): self.keyring = keyring def add_target(self, target_path, metadata_path): # ... implementation to add target and update metadata pass class Keyring: def get_private_key(self, role_name): # ... implementation to retrieve private key pass ``` -------------------------------- ### Verify Release Locally Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/RELEASE.md Runs the `verify_release` script locally to ensure that a build generated on the local machine matches the preliminary release artifacts published on GitHub. It can also be used to create GPG release signatures. ```shell verify_release --skip-pypi ``` ```shell verify_release --sign [] ``` -------------------------------- ### Testing Rollback Protection with Expired Timestamp in Python-TUF Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/_posts/2022-06-15-testing-ngclient.md This example illustrates how to test rollback protection when the local timestamp metadata has expired. It involves setting up specific version and expiry conditions for timestamp and snapshot metadata to verify that rollback checks are correctly performed. ```python from tests.test_updater_top_level_update import test_expired_timestamp_version_rollback, test_expired_timestamp_snapshot_rollback # Conceptual representation of test_expired_timestamp_version_rollback: # 1. Set timestamp v1 expiry one week ahead (to day 7). # (Simulated by test setup) # 2. Perform updater.refresh() on day 0. # updater.refresh() # 3. Publish timestamp v2 with expiry three weeks ahead (to day 21). # (Simulated by test setup) # 4. Perform updater.refresh() between day 7 and day 21. # updater.refresh() # 5. Verify rollback check uses expired timestamp v1. # (Assertions within test_expired_timestamp_version_rollback) # Conceptual representation of test_expired_timestamp_snapshot_rollback: # Similar approach, ensuring snapshot version is not the latest after an update # to verify rollback checks with expired timestamp and older snapshot. # (Assertions within test_expired_timestamp_snapshot_rollback) ``` -------------------------------- ### Simulating Expired Metadata Update in Python-TUF Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/_posts/2022-06-15-testing-ngclient.md This example demonstrates how to simulate a scenario where local metadata has expired, but an update is still required from a remote repository. It involves manipulating expiry dates and versions to ensure the update process functions correctly even with stale local data. ```python from tests.test_updater_top_level_update import test_expired_metadata # This is a conceptual representation. The actual test function would be called within a testing framework. # The following steps outline the logic described in the documentation: # 1. Set timestamp expiry one week ahead (to day 7) # (Simulated by test_expired_metadata setup) # 2. On day 0, download, verify, and load metadata. # updater.refresh() # 3. Bump snapshot and targets versions to v2 on day 0. # (Simulated by test_expired_metadata setup) # 4. Set v2 expiry dates three weeks ahead (to day 21). # (Simulated by test_expired_metadata setup) # 5. Travel in time between day 7 and day 21. # (Simulated by test_expired_metadata setup) # 6. Perform a successful refresh with expired local timestamp. # updater.refresh() # 7. Check final repository version of snapshot and targets roles is v2. # (Assertions within test_expired_metadata) ``` -------------------------------- ### Python-TUF ngclient Core Abstractions Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/_posts/2022-05-04-ngclient-design.md Details the core abstractions in the new `ngclient` implementation of Python-TUF, including their responsibilities and lines of code. These abstractions aim for simpler implementation and more correct design patterns. ```python Metadata (900 SLOC, [docs](https://theupdateframework.readthedocs.io/en/latest/api/tuf.api.html)) handles everything related to individual pieces of TUF metadata: deserialization, signing, and verifying TrustedMetadataSet (170 SLOC) is a collection of local, trusted metadata. It defines rules for how new metadata can be added into the set and ensures that metadata in it is always consistent and valid: As an example, if `TrustedMetadataSet` contains a targets metadata, the set guarantees that the targets metadata is signed by trusted keys and is part of a currently valid TUF snapshot Updater (250 SLOC, [docs](https://theupdateframework.readthedocs.io/en/latest/api/tuf.ngclient.updater.html)) makes decisions on what metadata should be loaded into `TrustedMetadataSet`, both from the local cache and from a remote repository. While `TrustedMetadataSet` always raises an exception if a metadata is not valid, `Updater` considers the context and handles some failures as a part of the process and some as actual errors. `Updater` also handles persisting validated metadata and targets onto local storage and provides the user-facing API FetcherInterface (100 SLOC, [docs](https://theupdateframework.readthedocs.io/en/latest/api/tuf.ngclient.fetcher.html)) is the abstract file downloader. By default, a Requests-based implementation is used but clients can use custom fetchers to tweak how downloads are done ``` -------------------------------- ### Sign with Online Key (KMS) Source: https://github.com/theupdateframework/python-tuf/blob/develop/docs/_posts/2023-01-24-securesystemslib-signer-api.md Signs metadata using an online key, retrieving the private key URI from the public key's unrecognized fields. Requires the 'cloudkms.signer' role on Google Cloud. ```python def sign_online(self, md: Metadata, key: Key) -> None: uri = key.unrecognized_fields["x-online-uri"] signer = Signer.from_priv_key_uri(uri, key) md.sign(signer) ```