README
¶
go-tuf
This is a Go implementation of The Update Framework (TUF), a framework for securing software update systems.
Directory layout
A TUF repository has the following directory layout:
.
├── keys
├── repository
│ └── targets
└── staged
└── targets
The directories contain the following files:
keys/- signing keys (optionally encrypted) with filename patternROLE.jsonrepository/- signed metadata filesrepository/targets/- hashed target filesstaged/- either signed, unsigned or partially signed metadata filesstaged/targets/- unhashed target files
CLI
go-tuf provides a CLI for managing a local TUF repository.
Install
go-tuf is tested on Go versions 1.16 and 1.17.
go get github.com/theupdateframework/go-tuf/cmd/tuf
Commands
tuf init [--consistent-snapshot=false]
Initializes a new repository.
This is only required if the repository should not generate consistent
snapshots (i.e. by passing --consistent-snapshot=false). If consistent
snapshots should be generated, the repository will be implicitly
initialized to do so when generating keys.
tuf gen-key [--expires=<days>] <role>
Prompts the user for an encryption passphrase (unless the
--insecure-plaintext flag is set), then generates a new signing key and
writes it to the relevant key file in the keys directory. It also stages
the addition of the new key to the root metadata file. Alternatively, passphrases
can be set via environment variables in the form of TUF_{{ROLE}}_PASSPHRASE
tuf revoke-key [--expires=<days>] <role> <id>
Revoke a signing key
The key will be removed from the root metadata file, but the key will remain in the "keys" directory if present.
tuf add [<path>...]
Hashes files in the staged/targets directory at the given path(s), then
updates and stages the targets metadata file. Specifying no paths hashes all
files in the staged/targets directory.
tuf remove [<path>...]
Stages the removal of files with the given path(s) from the targets metadata file
(they get removed from the filesystem when the change is committed). Specifying
no paths removes all files from the targets metadata file.
tuf snapshot [--expires=<days>]
Expects a staged, fully signed targets metadata file and stages an appropriate
snapshot metadata file. Optionally one can set number of days after which
the snapshot metadata will expire.
tuf timestamp [--expires=<days>]
Stages an appropriate timestamp metadata file. If a snapshot metadata file is staged,
it must be fully signed. Optionally one can set number of days after which
the timestamp metadata will expire.
tuf sign <metadata>
Signs the given role's staged metadata file with all keys present in the keys
directory for that role.
tuf commit
Verifies that all staged changes contain the correct information and are signed
to the correct threshold, then moves the staged files into the repository
directory. It also removes any target files which are not in the targets
metadata file.
tuf regenerate [--consistent-snapshot=false]
Note: Not supported yet
Recreates the targets metadata file based on the files in repository/targets.
tuf clean
Removes all staged metadata files and targets.
tuf root-keys
Outputs a JSON serialized array of root keys to STDOUT. The resulting JSON should be distributed to clients for performing initial updates.
tuf set-threshold <role> <threshold>
Sets role's threshold (required number of keys for signing) to
threshold.
tuf get-threshold <role>
Outputs role's threshold (required number of keys for signing).
tuf change-passphrase <role>
Changes the passphrase for given role keys file. The CLI supports reading
both the existing and the new passphrase via the following environment
variables - TUF_{{ROLE}}_PASSPHRASE and respectively TUF_NEW_{{ROLE}}_PASSPHRASE
Usage of environment variables
The tuf CLI supports receiving passphrases via environment variables in
the form of TUF_{{ROLE}}_PASSPHRASE for existing ones and
TUF_NEW_{{ROLE}}_PASSPHRASE for setting new ones.
For a list of supported commands, run tuf help from the command line.
Examples
The following are example workflows for managing a TUF repository with the CLI.
The tree commands do not need to be run, but their output serve as an
illustration of what files should exist after performing certain commands.
Although only two machines are referenced (i.e. the "root" and "repo" boxes), the workflows can be trivially extended to many signing machines by copying staged changes and signing on each machine in turn before finally committing.
Some key IDs are truncated for illustrative purposes.
Create signed root metadata file
Generate a root key on the root box:
$ tuf gen-key root
Enter root keys passphrase:
Repeat root keys passphrase:
Generated root key with ID 184b133f
$ tree .
.
├── keys
│ └── root.json
├── repository
└── staged
├── root.json
└── targets
Copy staged/root.json from the root box to the repo box and generate targets,
snapshot and timestamp keys:
$ tree .
.
├── keys
├── repository
└── staged
├── root.json
└── targets
$ tuf gen-key targets
Enter targets keys passphrase:
Repeat targets keys passphrase:
Generated targets key with ID 8cf4810c
$ tuf gen-key snapshot
Enter snapshot keys passphrase:
Repeat snapshot keys passphrase:
Generated snapshot key with ID 3e070e53
$ tuf gen-key timestamp
Enter timestamp keys passphrase:
Repeat timestamp keys passphrase:
Generated timestamp key with ID a3768063
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
└── staged
├── root.json
└── targets
Copy staged/root.json from the repo box back to the root box and sign it:
$ tree .
.
├── keys
│ ├── root.json
├── repository
└── staged
├── root.json
└── targets
$ tuf sign root.json
Enter root keys passphrase:
The staged root.json can now be copied back to the repo box ready to be
committed alongside other metadata files.
Add a target file
Assuming a staged, signed root metadata file and the file to add exists at
staged/targets/foo/bar/baz.txt:
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
└── staged
├── root.json
└── targets
└── foo
└── bar
└── baz.txt
$ tuf add foo/bar/baz.txt
Enter targets keys passphrase:
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
└── staged
├── root.json
├── targets
│ └── foo
│ └── bar
│ └── baz.txt
└── targets.json
$ tuf snapshot
Enter snapshot keys passphrase:
$ tuf timestamp
Enter timestamp keys passphrase:
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
└── staged
├── root.json
├── snapshot.json
├── targets
│ └── foo
│ └── bar
│ └── baz.txt
├── targets.json
└── timestamp.json
$ tuf commit
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
Remove a target file
Assuming the file to remove is at repository/targets/foo/bar/baz.txt:
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
$ tuf remove foo/bar/baz.txt
Enter targets keys passphrase:
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
└── targets.json
$ tuf snapshot
Enter snapshot keys passphrase:
$ tuf timestamp
Enter timestamp keys passphrase:
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
├── snapshot.json
├── targets.json
└── timestamp.json
$ tuf commit
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
└── staged
Regenerate metadata files based on targets tree (Note: Not supported yet)
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
$ tuf regenerate
Enter targets keys passphrase:
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
└── targets.json
$ tuf snapshot
Enter snapshot keys passphrase:
$ tuf timestamp
Enter timestamp keys passphrase:
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
├── snapshot.json
├── targets.json
└── timestamp.json
$ tuf commit
$ tree .
.
├── keys
│ ├── snapshot.json
│ ├── targets.json
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
Update timestamp.json
$ tree .
.
├── keys
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
$ tuf timestamp
Enter timestamp keys passphrase:
$ tree .
.
├── keys
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
└── timestamp.json
$ tuf commit
$ tree .
.
├── keys
│ └── timestamp.json
├── repository
│ ├── root.json
│ ├── snapshot.json
│ ├── targets
│ │ └── foo
│ │ └── bar
│ │ └── baz.txt
│ ├── targets.json
│ └── timestamp.json
└── staged
Client
For the client package, see https://godoc.org/github.com/theupdateframework/go-tuf/client.
For the client CLI, see https://github.com/theupdateframework/go-tuf/tree/master/cmd/tuf-client.
Development
For local development, go-tuf requires Go version 1.16 or 1.17.
The Python interoperability tests require Python 3
(available as python on the $PATH) and the python-tuf
package installed (pip install tuf). To update the data for these tests requires Docker and make (see
test data README.md for details).
Documentation
¶
Index ¶
- Variables
- type ErrFileNotFound
- type ErrInsufficientKeys
- type ErrInsufficientSignatures
- type ErrInvalidExpires
- type ErrInvalidRole
- type ErrKeyNotFound
- type ErrMissingMetadata
- type ErrNotEnoughKeys
- type ErrPassphraseRequired
- type LocalStore
- type PassphraseChanger
- type Repo
- func (r *Repo) AddOrUpdateSignature(roleFilename string, signature data.Signature) error
- func (r *Repo) AddPrivateKey(role string, signer keys.Signer) error
- func (r *Repo) AddPrivateKeyWithExpires(keyRole string, signer keys.Signer, expires time.Time) error
- func (r *Repo) AddTarget(path string, custom json.RawMessage) error
- func (r *Repo) AddTargetWithExpires(path string, custom json.RawMessage, expires time.Time) error
- func (r *Repo) AddTargets(paths []string, custom json.RawMessage) error
- func (r *Repo) AddTargetsWithDigest(digest string, digestAlg string, length int64, path string, ...) error
- func (r *Repo) AddTargetsWithExpires(paths []string, custom json.RawMessage, expires time.Time) error
- func (r *Repo) AddVerificationKey(keyRole string, pk *data.PublicKey) error
- func (r *Repo) AddVerificationKeyWithExpiration(keyRole string, pk *data.PublicKey, expires time.Time) error
- func (r *Repo) ChangePassphrase(keyRole string) error
- func (r *Repo) Clean() error
- func (r *Repo) Commit() error
- func (r *Repo) GenKey(role string) ([]string, error)
- func (r *Repo) GenKeyWithExpires(keyRole string, expires time.Time) (keyids []string, err error)
- func (r *Repo) GetThreshold(keyRole string) (int, error)
- func (r *Repo) Init(consistentSnapshot bool) error
- func (r *Repo) RemoveTarget(path string) error
- func (r *Repo) RemoveTargetWithExpires(path string, expires time.Time) error
- func (r *Repo) RemoveTargets(paths []string) error
- func (r *Repo) RemoveTargetsWithExpires(paths []string, expires time.Time) error
- func (r *Repo) RevokeKey(role, id string) error
- func (r *Repo) RevokeKeyWithExpires(keyRole, id string, expires time.Time) error
- func (r *Repo) RootKeys() ([]*data.PublicKey, error)
- func (r *Repo) RootVersion() (int, error)
- func (r *Repo) SetSnapshotVersion(v int) error
- func (r *Repo) SetTargetsVersion(v int) error
- func (r *Repo) SetThreshold(keyRole string, t int) error
- func (r *Repo) SetTimestampVersion(v int) error
- func (r *Repo) Sign(roleFilename string) error
- func (r *Repo) SignedMeta(roleFilename string) (*data.Signed, error)
- func (r *Repo) Snapshot() error
- func (r *Repo) SnapshotVersion() (int, error)
- func (r *Repo) SnapshotWithExpires(expires time.Time) error
- func (r *Repo) Targets() (data.TargetFiles, error)
- func (r *Repo) TargetsVersion() (int, error)
- func (r *Repo) Timestamp() error
- func (r *Repo) TimestampVersion() (int, error)
- func (r *Repo) TimestampWithExpires(expires time.Time) error
- type TargetsWalkFunc
Constants ¶
This section is empty.
Variables ¶
Functions ¶
This section is empty.
Types ¶
type ErrFileNotFound ¶
type ErrFileNotFound struct {
Path string
}
func (ErrFileNotFound) Error ¶
func (e ErrFileNotFound) Error() string
type ErrInsufficientKeys ¶
type ErrInsufficientKeys struct {
Name string
}
func (ErrInsufficientKeys) Error ¶
func (e ErrInsufficientKeys) Error() string
type ErrInsufficientSignatures ¶
func (ErrInsufficientSignatures) Error ¶
func (e ErrInsufficientSignatures) Error() string
type ErrInvalidExpires ¶
func (ErrInvalidExpires) Error ¶
func (e ErrInvalidExpires) Error() string
type ErrInvalidRole ¶
type ErrInvalidRole struct {
Role string
}
func (ErrInvalidRole) Error ¶
func (e ErrInvalidRole) Error() string
type ErrKeyNotFound ¶
func (ErrKeyNotFound) Error ¶
func (e ErrKeyNotFound) Error() string
type ErrMissingMetadata ¶
type ErrMissingMetadata struct {
Name string
}
func (ErrMissingMetadata) Error ¶
func (e ErrMissingMetadata) Error() string
type ErrNotEnoughKeys ¶
func (ErrNotEnoughKeys) Error ¶
func (e ErrNotEnoughKeys) Error() string
type ErrPassphraseRequired ¶
type ErrPassphraseRequired struct {
Role string
}
func (ErrPassphraseRequired) Error ¶
func (e ErrPassphraseRequired) Error() string
type LocalStore ¶
type LocalStore interface {
// GetMeta returns a map from metadata file names (e.g. root.json) to their raw JSON payload or an error.
GetMeta() (map[string]json.RawMessage, error)
// SetMeta is used to update a metadata file name with a JSON payload.
SetMeta(string, json.RawMessage) error
// WalkStagedTargets calls targetsFn for each staged target file in paths.
//
// If paths is empty, all staged target files will be walked.
WalkStagedTargets(paths []string, targetsFn TargetsWalkFunc) error
// FileIsStaged determines if a metadata file is currently staged, to avoid incrementing
// version numbers repeatedly while staged.
FileIsStaged(filename string) bool
// Commit is used to publish staged files to the repository
//
// This will also reset the staged meta to signal incrementing version numbers.
// TUF 1.0 requires that the root metadata version numbers in the repository does not
// gaps. To avoid this, we will only increment the number once until we commit.
Commit(bool, map[string]int, map[string]data.Hashes) error
// GetSigners return a list of signers for a role.
GetSigners(string) ([]keys.Signer, error)
// SaveSigner adds a signer to a role.
SaveSigner(string, keys.Signer) error
// Clean is used to remove all staged metadata files.
Clean() error
}
func FileSystemStore ¶
func FileSystemStore(dir string, p util.PassphraseFunc) LocalStore
func MemoryStore ¶
func MemoryStore(meta map[string]json.RawMessage, files map[string][]byte) LocalStore
type PassphraseChanger ¶
type Repo ¶
type Repo struct {
// contains filtered or unexported fields
}
func NewRepoIndent ¶
func (*Repo) AddOrUpdateSignature ¶
AddOrUpdateSignature allows users to add or update a signature generated with an external tool. The name must be a valid metadata file name, like root.json.
func (*Repo) AddPrivateKeyWithExpires ¶
func (*Repo) AddTargetWithExpires ¶
func (*Repo) AddTargets ¶
func (r *Repo) AddTargets(paths []string, custom json.RawMessage) error
func (*Repo) AddTargetsWithDigest ¶
func (*Repo) AddTargetsWithExpires ¶
func (*Repo) AddVerificationKey ¶
func (*Repo) AddVerificationKeyWithExpiration ¶
func (*Repo) ChangePassphrase ¶
func (*Repo) GenKeyWithExpires ¶
func (*Repo) RemoveTarget ¶
func (*Repo) RemoveTargetWithExpires ¶
func (*Repo) RemoveTargets ¶
func (*Repo) RemoveTargetsWithExpires ¶
If paths is empty, all targets will be removed.
func (*Repo) RevokeKeyWithExpires ¶
func (*Repo) RootVersion ¶
func (*Repo) SetSnapshotVersion ¶
func (*Repo) SetTargetsVersion ¶
func (*Repo) SetTimestampVersion ¶
func (*Repo) SignedMeta ¶
Used to retrieve the signable portion of the metadata when using an external signing tool.
func (*Repo) SnapshotVersion ¶
func (*Repo) TargetsVersion ¶
func (*Repo) TimestampVersion ¶
type TargetsWalkFunc ¶
TargetsWalkFunc is a function of a target path name and a target payload used to execute some function on each staged target file. For example, it may normalize path names and generate target file metadata with additional custom metadata.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
Package encrypted provides a simple, secure system for encrypting data symmetrically with a passphrase.
|
Package encrypted provides a simple, secure system for encrypting data symmetrically with a passphrase. |
|
internal
|
|
|
pkg
|
|