{"id":13846623,"url":"https://github.com/theupdateframework/go-tuf","last_synced_at":"2025-05-14T11:09:38.032Z","repository":{"id":24498454,"uuid":"27903690","full_name":"theupdateframework/go-tuf","owner":"theupdateframework","description":"Go implementation of The Update Framework (TUF)","archived":false,"fork":false,"pushed_at":"2025-05-06T12:37:34.000Z","size":2280,"stargazers_count":661,"open_issues_count":28,"forks_count":112,"subscribers_count":29,"default_branch":"master","last_synced_at":"2025-05-06T13:48:47.005Z","etag":null,"topics":["chain","go","golang","hacktoberfest","security","software","supply","supply-chain","tuf"],"latest_commit_sha":null,"homepage":"https://theupdateframework.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/theupdateframework.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2014-12-12T03:31:16.000Z","updated_at":"2025-04-26T23:04:07.000Z","dependencies_parsed_at":"2023-11-28T15:54:26.670Z","dependency_job_id":"a6f0e329-607e-4717-ba0a-7fb037baede5","html_url":"https://github.com/theupdateframework/go-tuf","commit_stats":null,"previous_names":["flynn/go-tuf"],"tags_count":31,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Fgo-tuf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Fgo-tuf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Fgo-tuf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Fgo-tuf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/theupdateframework","download_url":"https://codeload.github.com/theupdateframework/go-tuf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254129489,"owners_count":22019628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chain","go","golang","hacktoberfest","security","software","supply","supply-chain","tuf"],"created_at":"2024-08-04T18:00:43.420Z","updated_at":"2025-05-14T11:09:38.000Z","avatar_url":"https://github.com/theupdateframework.png","language":"Go","funding_links":[],"categories":["Signing Artefacts"],"sub_categories":[],"readme":"![GitHub Workflow Status (with branch)](https://img.shields.io/github/actions/workflow/status/theupdateframework/go-tuf/ci.yml?branch=master)\n[![codecov](https://codecov.io/github/theupdateframework/go-tuf/branch/master/graph/badge.svg?token=2ZUA68ZL13)](https://codecov.io/github/theupdateframework/go-tuf)\n[![Go Reference](https://pkg.go.dev/badge/github.com/theupdateframework/go-tuf.svg)](https://pkg.go.dev/github.com/theupdateframework/go-tuf)\n[![Go Report Card](https://goreportcard.com/badge/github.com/theupdateframework/go-tuf)](https://goreportcard.com/report/github.com/theupdateframework/go-tuf)\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n\n# \u003cimg src=\"https://cdn.rawgit.com/theupdateframework/artwork/3a649fa6/tuf-logo.svg\" height=\"100\" valign=\"middle\" alt=\"TUF\"/\u003e go-tuf/v2 - Framework for Securing Software Update Systems\n\n----------------------------\n\n[The Update Framework (TUF)](https://theupdateframework.io/) is a framework for\nsecure content delivery and updates. It protects against various types of\nsupply chain attacks and provides resilience to compromise.\n\n## About The Update Framework\n\n----------------------------\nThe Update Framework (TUF) design helps developers maintain the security of a\nsoftware update system, even against attackers that compromise the repository\nor signing keys.\nTUF provides a flexible\n[specification](https://github.com/theupdateframework/specification/blob/master/tuf-spec.md)\ndefining functionality that developers can use in any software update system or\nre-implement to fit their needs.\n\nTUF is hosted by the [Linux Foundation](https://www.linuxfoundation.org/) as\npart of the [Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF)\nand its design is [used in production](https://theupdateframework.io/adoptions/)\nby various tech companies and open-source organizations.\n\nPlease see [TUF's website](https://theupdateframework.com/) for more information about TUF!\n\n## Overview\n\n----------------------------\n\nThe go-tuf v2 project provides a lightweight library with the following functionality:\n\n* creation, reading, and writing of TUF metadata\n* an easy object-oriented approach for interacting with TUF metadata\n* consistent snapshots\n* signing and verifying TUF metadata\n* ED25519, RSA, and ECDSA key types referenced by the latest TUF specification\n* top-level role delegation\n* target delegation via standard and hash bin delegations\n* support of [succinct hash bin delegations](https://github.com/theupdateframework/taps/blob/master/tap15.md) which significantly reduce the size of the TUF metadata\n* support for unrecognized fields within the metadata (i.e. preserved and accessible through `root.Signed.UnrecognizedFields[\"some-unknown-field\"]`, also used for verifying/signing (if included in the Signed portion of the metadata))\n* TUF client API\n* TUF multi-repository client API (implements [TAP 4 - Multiple repository consensus on entrusted targets](https://github.com/theupdateframework/taps/blob/master/tap4.md))\n\n## Examples\n\n----------------------------\n\nThere are several examples that can act as a guideline on how to use the library and its features. Some of which are:\n\n* [basic_repository.go](examples/repository/basic_repository.go) example which demonstrates how to *manually* create and\nmaintain repository metadata using the low-level Metadata API.\n\nTo try it - run `make example-repository` (the artifacts will be located at `examples/repository/`).\n\n* [client_example.go](examples/client/client_example.go) which demonstrates how to implement a client using the [updater](metadata/updater/updater.go) package.\n\nTo try it - run `make example-client` (the artifacts will be located at `examples/client/`)\n\n* [tuf-client CLI](examples/cli/tuf-client/) - a CLI tool that implements the client workflow specified by The Update Framework (TUF) specification.\n\nTo try it - run `make example-tuf-client-cli`\n\n* [multi-repository client example (TAP4)](examples/multirepo/client/client_example.go) which demonstrates how to implement a multi-repository TUF client using the [multirepo](metadata/multirepo/multirepo.go) package.\n\nTo try it - run `make example-multirepo`\n\n## Package details\n\n----------------------------\n\n### The `metadata` package\n\n* The `metadata` package provides access to a Metadata file abstraction that closely\nfollows the TUF specification’s document formats. This API handles de/serialization\nto and from files and bytes. It also covers the process of creating and verifying metadata\nsignatures and makes it easier to access and modify metadata content. It is purely\nfocused on individual pieces of Metadata and provides no concepts like “repository”\nor “update workflow”.\n\n### The `trustedmetadata` package\n\n* A `TrustedMetadata` instance ensures that the collection of metadata in it is valid\nand trusted through the whole client update workflow. It provides easy ways to update\nthe metadata with the caller making decisions on what is updated.\n\n### The `config` package\n\n* The `config` package stores configuration for an ``Updater`` instance.\n\n### The `fetcher` package\n\n* The `fetcher` package defines an interface for abstract network download.\n\n### The `updater` package\n\n* The `updater` package provides an implementation of the TUF client workflow.\nIt provides ways to query and download target files securely while handling the\nTUF update workflow behind the scenes. It is implemented on top of the Metadata API\nand can be used to implement various TUF clients with relatively little effort.\n\n### The `multirepo` package\n\n* The `multirepo` package provides an implementation of [TAP 4 - Multiple repository consensus on entrusted targets](https://github.com/theupdateframework/taps/blob/master/tap4.md). It provides a secure search for particular targets across multiple repositories. It provides the functionality for how multiple repositories with separate roots of trust can be required to sign off on the same targets, effectively creating an AND relation and ensuring any files obtained can be trusted. It offers a way to initialize multiple repositories using a `map.json` file and also mechanisms to query and download target files securely. It is implemented on top of the Updater API and can be used to implement various multi-repository TUF clients with relatively little effort.\n\n## Documentation\n\n----------------------------\n\n* [Documentation](https://pkg.go.dev/github.com/theupdateframework/go-tuf/v2)\n\n* [Introduction to TUF's Design](https://theupdateframework.io/overview/)\n\n* [The TUF Specification](https://theupdateframework.github.io/specification/latest/)\n\n## History - legacy go-tuf vs go-tuf/v2\n\nThe [legacy go-tuf (v0.7.0)](https://github.com/theupdateframework/go-tuf/tree/v0.7.0) codebase was difficult to maintain and prone to errors due to its initial design decisions. Now it is considered deprecated in favour of go-tuf v2 (originaly from [rdimitrov/go-tuf-metadata](https://github.com/rdimitrov/go-tuf-metadata)) which started from the idea of providing a Go implementation of TUF that is heavily influenced by the design decisions made in [python-tuf](https://github.com/theupdateframework/python-tuf).\n\n## Contact\n\n----------------------------\n\nQuestions, feedback, and suggestions are welcomed on the [#tuf](https://cloud-native.slack.com/archives/C8NMD3QJ3) and/or [#go-tuf](https://cloud-native.slack.com/archives/C02D577GX54) channels on\n[CNCF Slack](https://slack.cncf.io/).\n\nWe strive to make the specification easy to implement, so if you come across\nany inconsistencies or experience any difficulty, do let us know by sending an\nemail, or by reporting an issue in the GitHub [specification\nrepo](https://github.com/theupdateframework/specification/issues).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheupdateframework%2Fgo-tuf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftheupdateframework%2Fgo-tuf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheupdateframework%2Fgo-tuf/lists"}