{"id":13717779,"url":"https://github.com/vmware-archive/repository-editor-for-tuf","last_synced_at":"2025-05-07T08:30:33.306Z","repository":{"id":37466898,"uuid":"385603049","full_name":"vmware-archive/repository-editor-for-tuf","owner":"vmware-archive","description":"Command line tool for editing and maintaining a TUF repository","archived":true,"fork":false,"pushed_at":"2023-01-18T09:07:16.000Z","size":145,"stargazers_count":5,"open_issues_count":14,"forks_count":3,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-24T07:03:05.812Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vmware-archive.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-07-13T12:52:37.000Z","updated_at":"2023-11-03T13:27:01.000Z","dependencies_parsed_at":"2023-02-01T03:45:58.737Z","dependency_job_id":null,"html_url":"https://github.com/vmware-archive/repository-editor-for-tuf","commit_stats":null,"previous_names":["vmware-archive/repository-editor-for-tuf"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-archive%2Frepository-editor-for-tuf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-archive%2Frepository-editor-for-tuf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-archive%2Frepository-editor-for-tuf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-archive%2Frepository-editor-for-tuf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vmware-archive","download_url":"https://codeload.github.com/vmware-archive/repository-editor-for-tuf/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252788521,"owners_count":21804285,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T00:01:26.955Z","updated_at":"2025-05-07T08:30:33.051Z","avatar_url":"https://github.com/vmware-archive.png","language":"Python","funding_links":[],"categories":["Identity, signing and provenance"],"sub_categories":["Supply chain beyond libraries"],"readme":"\n# Repository Editor for TUF\n\n## Overview\n\n_Repository Editor for TUF_ project provides a command line tool to edit and\nmaintain a [TUF](https://theupdateframework.io/) repository. Project aims to:\n * Produce a command line tool for demos, tutorials, testing and and small\n scale repositories in general. In particular, support use cases of:\n * Repository maintainer _(repository setup, key rotations, delegations)_\n * Timestamp/snapshot automation _(hands-free, running on CI)_\n * Target file maintainer _(publishing targets)_\n * Smoke test the TUF Metadata API for repository functionality\n\n## Status\n\n_Repository Editor for TUF_ works already and can be used to create and maintain\nTUF repositories for demo purposes.\n\nIt is also at early stages of development and should be considered\nexperimental and unstable:\n * Testing is minimal\n * Private key management is minimal: removing keys requires editing a file,\n using an existing key is not supported\n * No releases or packages are available\n\n## How it works\n\n### Metadata is stored in git\n\nThe tufrepo tool works in a git-stored TUF metadata directory: metadata files\nare automatically added to git. Git is used for a few reasons:\n * Tool needs no state tracking as git knows if file has been modified\n * Reviewing changes, combining changes to logical chunks and reverting wrong\n changes becomes easy\n * publishing and sharing repositories (and even running tufrepo on CI)\n is possible\n\n### Commands are used to edit metadata\n\nWhile editing, the tool takes care of:\n * expiry updates\n * version number updates\n * file name changes, deleting obsolete files\n * signing (with all appropriate private keys that available)\n\nFollowing commands are available to user:\n\n| Command | Description\n| --- | ---\n| `init` | Initialize a minimal repository from scratch\n| `add-target` | Add target file to the repository\n| `remove-target` | Remove target file from the repository\n| `snapshot` | Update snapshot and timestamp meta information\n| `sign` | Sign roles (without otherwise modifying them)\n| `init-succinct-roles` | Initialize delegated roles for a succinct delegation\n| `verify` | Verify the current status of the repository\n| `edit` | Edit a role with subcommands listed below\n\nA specific role can be edited with following edit-subcommands:\n\n| Edit sub-command | Description\n| --- | ---\n| `init` | Create new metadata for role\n| `add-delegation` | Delegate from role to another role\n| `remove-delegation` | Remove delegation to another role\n| `add-key` | Add a new signing key for a delegated role or succinct delegation.\n| `remove-key` | Remove signing key for a delegated role\n| `set-threshold` | Set the threshold of delegated role\n| `set-expiry` | Set expiry period for the role\n| `touch` | No changes, just update version and expiry\n\nWhen editing, the results can be checked with `git diff` and then committed\nwith `git commit -a`. Note that git status affects the automatic version number\nchanges: version number is bumped once per git changeset.\n\n### Key management\n\nAll of the metadata is stored in git and the git repository is meant to be\nshareable publicly. This means private keys must be stored elsewhere.\n\ntufrepo can currently read private key secrets from two places:\n * privkeys.json in the repo directory (this does not get committed to git).\n Encrypted keys are not yet supported.\n * environment variables. This is useful when running tufrepo on CI and reading\n the secrets from the CI secrets storage\nThe tool will automatically use the available keys to sign whenever signing is\nneeded.\n\ntufrepo writes new keys (created during `edit \u003crole\u003e add-key`) to\nprivkeys.json.\n\nThis key management solution is preliminary and likely to change in the future.\n\n## Testing in virtualenv\n\n python3 -m venv venv\n source venv/bin/activate\n pip install -r requirements.txt -e .\n\n tufrepo --help\n\nIf you want to debug a specific command locally you can have a look at\n`click` documentation about it: https://click.palletsprojects.com/en/8.1.x/testing/.\nIt may be worth setting a temporary folder where you can test your command in\norder to simulate tufrepo behavior.\n\n## Examples\n\nNote: The tool outputs very little currently: Running `git diff` once in a\nwhile helps keep track of changes so far.\n\n### Repository initialization\n\n # initialize a git repository for the metadata\n mkdir repo \u0026\u0026 cd repo\n git init .\n echo \"privkeys.json\" \u003e .gitignore\n\n # Create top level metadata\n tufrepo init\n\n git commit -a -m \"initial top-level metadata\"\n\n### Editing metadata\n\n # shorter expiry for timestamp\n tufrepo edit timestamp set-expiry 12 hours\n\n # require two of three root keys\n tufrepo edit root add-key root\n tufrepo edit root add-key root\n tufrepo edit root set-threshold root 2\n\n git commit -a -m \"timestamp expiry \u0026 more root keys\"\n\n### Delegation\n\n # Add delegation (sign with targets key)\n tufrepo edit targets add-delegation --path \"files/*\" role1\n tufrepo edit targets add-key role1\n\n # Create the delegate targets role (sign with role1 key)\n tufrepo edit role1 init\n\n # Update snapshot/timestamp contents (sign with snapshot/timestamp keys)\n tufrepo snapshot\n\n git commit -a -m \"Delegation to role1\"\n\n### Succinct delegation\n\n # Add delegation to 16 roles named \"bin-0\" to \"bin-f\" to role1 (sign with role1 key)\n tufrepo edit role1 add-delegation --succinct 16 bin\n\n # Add a key shared between all 16 succinct delegations defined in role1\n tufrepo edit role1 add-key\n\n # Create the 16 roles and sign them with the shared key\n tufrepo init-succinct-roles role1\n\n # Update snapshot/timestamp contents (sign with snapshot/timestamp keys)\n tufrepo snapshot\n\n git commit -a -m \"Succinct delegation\"\n\n### Adding target files\n\n # Developer adds target \"files/file1.txt\": this is delegated first to \"role1\",\n # then to \"bin-2\", so change is signed by the succinct role key\n tufrepo add-target files/file1.txt ../targets/files/file1.txt\n\n # Update snapshot/timestamp contents (sign with snapshot/timestamp key)\n tufrepo snapshot\n\n git commit -a -m \"Add target 'files/file1.txt'\"\n\n## Contributing\n\nContributions are very welcome. If you wish to contribute code and have not\nsigned our contributor license agreement (CLA), our bot will update the issue\nwith details when you open a Pull Request. For any questions about the CLA\nprocess, please refer to our [FAQ](https://cla.vmware.com/faq).\n\n## License\n\nThe code is dual-licensed under MIT and Apache 2.0 licenses (for maximum\ncompatibility with TUF project), see [LICENSE-MIT](LICENSE-MIT) and\n[LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvmware-archive%2Frepository-editor-for-tuf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvmware-archive%2Frepository-editor-for-tuf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvmware-archive%2Frepository-editor-for-tuf/lists"}