{"id":19901082,"url":"https://github.com/theupdateframework/tuf-on-ci","last_synced_at":"2025-08-20T01:31:20.128Z","repository":{"id":182260743,"uuid":"667415882","full_name":"theupdateframework/tuf-on-ci","owner":"theupdateframework","description":"A TUF repository and signing tool","archived":false,"fork":false,"pushed_at":"2024-10-29T09:29:55.000Z","size":833,"stargazers_count":21,"open_issues_count":46,"forks_count":11,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-10-29T11:42:03.140Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/theupdateframework.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"docs/CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"docs/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-17T13:02:42.000Z","updated_at":"2024-10-29T09:28:11.000Z","dependencies_parsed_at":"2023-10-18T14:32:21.172Z","dependency_job_id":"33370210-5300-4eb2-aa58-9b6ccf232747","html_url":"https://github.com/theupdateframework/tuf-on-ci","commit_stats":null,"previous_names":["theupdateframework/tuf-on-ci"],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Ftuf-on-ci","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Ftuf-on-ci/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Ftuf-on-ci/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theupdateframework%2Ftuf-on-ci/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/theupdateframework","download_url":"https://codeload.github.com/theupdateframework/tuf-on-ci/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230382858,"owners_count":18216854,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T20:14:03.939Z","updated_at":"2024-12-19T05:07:24.013Z","avatar_url":"https://github.com/theupdateframework.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# TUF-on-CI: A TUF Repository and Signing Tool\n\nTUF-on-CI is a secure artifact delivery system that operates on a Continuous Integration\nplatform. It contains a [TUF](https://theupdateframework.io) repository implementation and an\neasy-to-use local signing system that supports hardware keys (e.g. Yubikeys).\n\nTUF-on-CI can be used to publish a TUF repository that contains digitally signed metadata.\nAny TUF-compatible download client can use this repository to securely download\nthe artifacts described in the repository.\n\nThis system is highly secure against infrastructure compromise: Even a fully compromised\nrepository hosting will not lead to compromised downloader clients.\n\nSupported features include:\n* Guided signing events for distributed signing\n* TUF delegations with signature thresholds\n* Signing with hardware keys and Sigstore\n* Automated online signing (Google Cloud, Azure, AWS, Sigstore)\n* No custom code required\n\nThe optimal use case is TUF repositories with a low to moderate frequency of change, both for artifacts and keys.\n\n## Documentation\n\n* [Signer Manual](docs/SIGNER-MANUAL.md)\n* [Repository Maintenance Manual](docs/REPOSITORY-MAINTENANCE.md)\n* [Developer notes](docs/DEVELOPMENT.md)\n\n## Deployments\n\n![logos](https://github.com/theupdateframework/tuf-on-ci/assets/31889/34eb2a5e-b9a2-41ad-b333-6a28590b17f3)\n\n* The [Sigstore project](https://www.sigstore.dev/) uses tuf-on-ci to manage their TUF repositories in\n  [root-signing](https://github.com/sigstore/root-signing) and [root-signing-staging](https://github.com/sigstore/root-signing-staging).\n  These repositories are used to deliver the Sigstore root of trust to all sigstore clients.\n* GitHub maintains a TUF repository for their\n  [Artifact Attestations](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/)\n  with tuf-on-ci\n* There is also a [demo deployment](https://github.com/jku/tuf-demo/) for the TUF community\n\n## Contact\n\n* We're on [Slack](https://cloud-native.slack.com/archives/C04SHK2DPK9)\n* Feel free to file issues if anything is unclear: this is a new project so docs are still lacking\n* Email sent to jkukkonen at google.com will be read eventually\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheupdateframework%2Ftuf-on-ci","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftheupdateframework%2Ftuf-on-ci","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheupdateframework%2Ftuf-on-ci/lists"}