{"id":13820848,"url":"https://github.com/theupdateframework/python-tuf","last_synced_at":"2026-01-15T22:20:43.182Z","repository":{"id":6697459,"uuid":"7942805","full_name":"theupdateframework/python-tuf","owner":"theupdateframework","description":"Python reference implementation of The Update Framework (TUF)","archived":false,"fork":false,"pushed_at":"2026-01-13T02:12:14.000Z","size":18936,"stargazers_count":1694,"open_issues_count":61,"forks_count":287,"subscribers_count":40,"default_branch":"develop","last_synced_at":"2026-01-13T04:07:35.089Z","etag":null,"topics":["cncf","compromise","key","python","repository","revocation","security","software","update"],"latest_commit_sha":null,"homepage":"https://theupdateframework.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/theupdateframework.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.rst","funding":null,"license":"LICENSE","code_of_conduct":"docs/CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"docs/CODEOWNERS","security":"docs/SECURITY.md","support":null,"governance":"docs/GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"docs/MAINTAINERS.txt","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-01-31T18:36:34.000Z","updated_at":"2026-01-13T01:55:41.000Z","dependencies_parsed_at":"2026-01-13T04:07:42.959Z","dependency_job_id":null,"html_url":"https://github.com/theupdateframework/python-tuf","commit_stats":{"total_commits":4184,"total_committers":101,"mean_commits":41.42574257425743,"dds":0.5473231357552581,"last_synced_commit":"9d09c427c77ac18a61e949d83236deebbbeee9ec"},"previous_names":["theupdateframework/tuf"],"tags_count":34,"template":false,"template_full_name":null,"purl":"pkg:github/theupdateframework/python-tuf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Fpython-tuf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Fpython-tuf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Fpython-tuf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Fpython-tuf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/theupdateframework","download_url":"https://codeload.github.com/theupdateframework/python-tuf/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Fpython-tuf/sbom","scorecard":{"id":94114,"data":{"date":"2025-08-12T08:20:55Z","repo":{"name":"github.com/theupdateframework/python-tuf","commit":"5f60ee52e5138fc04787f0d6ada9c647079cf836"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":8.6,"checks":[{"name":"Code-Review","score":-1,"reason":"Found no human activity in the last 18 changesets","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: docs/SECURITY.md:1","Info: Found linked content: docs/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: docs/SECURITY.md:1","Info: Found text in security policy: docs/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":10,"reason":"20 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":4,"reason":"dependency not pinned by hash detected -- score normalized to 4","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/theupdateframework/python-tuf/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/theupdateframework/python-tuf/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/theupdateframework/python-tuf/dependency-review.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/theupdateframework/python-tuf/scorecards.yml/develop?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/_test.yml:68","Warn: pipCommand not pinned by hash: .github/workflows/_test.yml:109","Warn: pipCommand not pinned by hash: .github/workflows/_test.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/_test_sslib_main.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/cd.yml:33","Warn: pipCommand not pinned by hash: .github/workflows/specification-version-check.yml:25","Info:  21 out of  25 GitHub-owned GitHubAction dependencies pinned","Info:   3 out of   3 third-party GitHubAction dependencies pinned","Info:   0 out of   6 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/cd.yml:52","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/cd.yml:95","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:21","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:21","Info: jobLevel 'contents' permission set to 'read': .github/workflows/specification-version-check.yml:33","Info: found token with 'none' permissions: .github/workflows/_test.yml:1","Info: found token with 'none' permissions: .github/workflows/_test_sslib_main.yml:1","Info: found token with 'none' permissions: .github/workflows/cd.yml:1","Info: found token with 'none' permissions: .github/workflows/ci.yml:1","Info: found token with 'none' permissions: .github/workflows/codeql-analysis.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/conformance.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:12","Info: found token with 'none' permissions: .github/workflows/maintainer-permissions-reminder.yml:1","Info: found token with 'none' permissions: .github/workflows/scorecards.yml:1","Info: found token with 'none' permissions: .github/workflows/specification-version-check.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":10,"reason":"badge detected: Gold","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"Signed-Releases","score":4,"reason":"3 out of the last 5 releases have a total of 3 signed artifacts.","details":["Info: signed release artifact: tuf-6.0.0-py3-none-any.whl.asc: https://github.com/theupdateframework/python-tuf/releases/tag/v6.0.0","Info: signed release artifact: tuf-5.1.0-py3-none-any.whl.asc: https://github.com/theupdateframework/python-tuf/releases/tag/v5.1.0","Warn: release artifact v5.0.0 not signed: https://api.github.com/repos/theupdateframework/python-tuf/releases/155644783","Warn: release artifact v4.0.0 not signed: https://api.github.com/repos/theupdateframework/python-tuf/releases/149724219","Info: signed release artifact: tuf-3.1.1-py3-none-any.whl.asc: https://github.com/theupdateframework/python-tuf/releases/tag/v3.1.1","Warn: release artifact v6.0.0 does not have provenance: https://api.github.com/repos/theupdateframework/python-tuf/releases/204977023","Warn: release artifact v5.1.0 does not have provenance: https://api.github.com/repos/theupdateframework/python-tuf/releases/178685741","Warn: release artifact v5.0.0 does not have provenance: https://api.github.com/repos/theupdateframework/python-tuf/releases/155644783","Warn: release artifact v4.0.0 does not have provenance: https://api.github.com/repos/theupdateframework/python-tuf/releases/149724219","Warn: release artifact v3.1.1 does not have provenance: https://api.github.com/repos/theupdateframework/python-tuf/releases/142294911"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'develop'","Info: 'force pushes' disabled on branch 'develop'","Warn: required approving review count is 1 on branch 'develop'","Warn: codeowners review is not required on branch 'develop'","Info: status check found to merge onto on branch 'develop'","Info: PRs are required in order to make changes on branch 'develop'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/cd.yml:89"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"CI-Tests","score":10,"reason":"18 out of 18 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 54 contributing companies or organizations","details":["Info: found contributions from: AFFIXs, DataDog, GIDAIbero, Homebrew, Lind-Project, OwnCA, PolyPasswordHasher, SBOMit, UMD-CS-STICs, Verizon, YuCloudNative, aeraki-mesh, astral-sh, beedog, broadcom, cloudnativeto, cnabio, datadog, dmarc-viewer, eclipse foundation, edera, german-transcendental-idealism, google, grinchrb, hexchat, in-toto, inspektor-gadget, iqm qunatum computers, istio, k8smeetup, kbsecret, nyu tandon school of engineering, ossf, psf, purdue university, pypa, pypi, pyupio, repository-service-tuf, robustodev, school of computer science wuhan university, secure-systems-lab, servicemesher, sigstore, slsa-framework, theupdateframework, tuf-in-toto, uptane, verizon, vmware, woodruffw-experiments, woodruffw-forks, woodruffw-hackathons, zizmorcore"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}}]},"last_synced_at":"2025-08-15T08:31:41.366Z","repository_id":6697459,"created_at":"2025-08-15T08:31:41.366Z","updated_at":"2025-08-15T08:31:41.366Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28472626,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-15T22:13:38.078Z","status":"ssl_error","status_checked_at":"2026-01-15T22:12:11.737Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cncf","compromise","key","python","repository","revocation","security","software","update"],"created_at":"2024-08-04T08:01:10.258Z","updated_at":"2026-01-15T22:20:43.163Z","avatar_url":"https://github.com/theupdateframework.png","language":"Python","readme":"# \u003cimg src=\"https://cdn.rawgit.com/theupdateframework/artwork/3a649fa6/tuf-logo.svg\" height=\"100\" valign=\"middle\" alt=\"TUF\"/\u003e A Framework for Securing Software Update Systems\n\n[![CI badge](https://github.com/theupdateframework/python-tuf/actions/workflows/ci.yml/badge.svg)](https://github.com/theupdateframework/python-tuf/actions/workflows/ci.yml)\n[![Conformance badge](https://github.com/theupdateframework/python-tuf/actions/workflows/conformance.yml/badge.svg)](https://github.com/theupdateframework/python-tuf/actions/workflows/conformance.yml)\n[![Coveralls badge](https://coveralls.io/repos/theupdateframework/python-tuf/badge.svg?branch=develop)](https://coveralls.io/r/theupdateframework/python-tuf?branch=develop)\n[![Docs badge](https://readthedocs.org/projects/theupdateframework/badge/)](https://theupdateframework.readthedocs.io/)\n[![CII badge](https://bestpractices.coreinfrastructure.org/projects/1351/badge)](https://bestpractices.coreinfrastructure.org/projects/1351)\n[![PyPI badge](https://img.shields.io/pypi/v/tuf)](https://pypi.org/project/tuf/)\n[![Scorecard badge](https://api.scorecard.dev/projects/github.com/theupdateframework/python-tuf/badge)](https://scorecard.dev/viewer/?uri=github.com/theupdateframework/python-tuf)\n\n----------------------------\n[The Update Framework (TUF)](https://theupdateframework.io/) is a framework for\nsecure content delivery and updates. It protects against various types of\nsupply chain attacks and provides resilience to compromise. This repository is a\n**reference implementation** written in Python. It is intended to conform to\nversion 1.0 of the [TUF\nspecification](https://theupdateframework.github.io/specification/latest/).\n\nPython-TUF provides the following APIs:\n  * [`tuf.api.metadata`](https://theupdateframework.readthedocs.io/en/latest/api/tuf.api.html),\n    a \"low-level\" API, designed to provide easy and safe access to TUF\n    metadata and to handle (de)serialization from/to files.\n  * [`tuf.ngclient`](https://theupdateframework.readthedocs.io/en/latest/api/tuf.ngclient.html),\n    a client implementation built on top of the metadata API.\n  * `tuf.repository`, a repository library also built on top of the metadata\n    API. This module is currently not considered part of python-tuf stable API.\n\nThe reference implementation strives to be a readable guide and demonstration\nfor those working on implementing TUF in their own languages, environments, or\nupdate systems.\n\n\nAbout The Update Framework\n--------------------------\nThe Update Framework (TUF) design helps developers maintain the security of a\nsoftware update system, even against attackers that compromise the repository\nor signing keys.\nTUF provides a flexible\n[specification](https://github.com/theupdateframework/specification/blob/master/tuf-spec.md)\ndefining functionality that developers can use in any software update system or\nre-implement to fit their needs.\n\nTUF is hosted by the [Linux Foundation](https://www.linuxfoundation.org/) as\npart of the [Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF)\nand its design is [used in production](https://theupdateframework.io/adoptions/)\nby various tech companies and open source organizations. A variant of TUF\ncalled [Uptane](https://uptane.github.io/) is used to secure over-the-air\nupdates in automobiles.\n\nPlease see [TUF's website](https://theupdateframework.com/) for more information about TUF!\n\n\nDocumentation\n-------------\n* [Introduction to TUF's Design](https://theupdateframework.io/overview/)\n* [The TUF Specification](https://theupdateframework.github.io/specification/latest/)\n* [Developer documentation](https://theupdateframework.readthedocs.io/), including\n  [API reference](\n    https://theupdateframework.readthedocs.io/en/latest/api/api-reference.html) and [instructions for contributors](https://theupdateframework.readthedocs.io/en/latest/CONTRIBUTING.html)\n* [Usage examples](https://github.com/theupdateframework/python-tuf/tree/develop/examples/)\n* [Governance](https://github.com/theupdateframework/python-tuf/blob/develop/docs/GOVERNANCE.md)\nand [Maintainers](https://github.com/theupdateframework/python-tuf/blob/develop/docs/MAINTAINERS.txt)\nfor the reference implementation\n* [Miscellaneous Docs](https://github.com/theupdateframework/python-tuf/tree/develop/docs)\n* [Python-TUF development blog](https://theupdateframework.github.io/python-tuf/)\n\n\nContact\n-------\nQuestions, feedback, and suggestions are welcomed on our low volume [mailing\nlist](https://groups.google.com/forum/?fromgroups#!forum/theupdateframework) or\nthe [#tuf](https://cloud-native.slack.com/archives/C8NMD3QJ3) channel on [CNCF\nSlack](https://slack.cncf.io/).\n\nWe strive to make the specification easy to implement, so if you come across\nany inconsistencies or experience any difficulty, do let us know by sending an\nemail, or by reporting an issue in the GitHub [specification\nrepo](https://github.com/theupdateframework/specification/issues).\n\nSecurity Issues and Bugs\n------------------------\n\nSee [SECURITY.md](docs/SECURITY.md)\n\nLicense\n-------\n\nThis work is [dual-licensed](https://en.wikipedia.org/wiki/Multi-licensing) and\ndistributed under the (1) MIT License and (2) Apache License, Version 2.0.\nPlease see [LICENSE-MIT](https://github.com/theupdateframework/python-tuf/blob/develop/LICENSE-MIT)\nand [LICENSE](https://github.com/theupdateframework/python-tuf/blob/develop/LICENSE).\n\n\nAcknowledgements\n----------------\n\nThis project is hosted by the Linux Foundation under the Cloud Native Computing\nFoundation.  TUF's early development was managed by members of the [Secure\nSystems Lab](https://ssl.engineering.nyu.edu/) at [New York\nUniversity](https://engineering.nyu.edu/). We appreciate the efforts of all\n[maintainers and emeritus\nmaintainers](https://github.com/theupdateframework/python-tuf/blob/develop/docs/MAINTAINERS.txt),\nas well as the contributors Konstantin Andrianov, Kairo de Araujo, Ivana\nAtanasova, Geremy Condra, Zane Fisher, Pankhuri Goyal, Justin Samuel, Tian\nTian, Martin Vrachev and Yuyu Zheng who are among those who helped\nsignificantly with TUF's reference implementation. Maintainers and Contributors\nare governed by the [CNCF Community Code of\nConduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).\n\nThis material is based upon work supported by the National Science Foundation\nunder Grant Nos. CNS-1345049 and CNS-0959138. Any opinions, findings, and\nconclusions or recommendations expressed in this material are those of the\nauthor(s) and do not necessarily reflect the views of the National Science\nFoundation.\n","funding_links":[],"categories":["Python","Signing Artefacts","software"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheupdateframework%2Fpython-tuf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftheupdateframework%2Fpython-tuf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheupdateframework%2Fpython-tuf/lists"}