https://github.com/theupdateframework/tuf-on-ci

A TUF repository and signing tool
https://github.com/theupdateframework/tuf-on-ci

Last synced: 6 months ago
JSON representation

A TUF repository and signing tool

• Host: GitHub
• URL: https://github.com/theupdateframework/tuf-on-ci
• Owner: theupdateframework
• License: other
• Created: 2023-07-17T13:02:42.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2024-10-29T09:29:55.000Z (over 1 year ago)
• Last Synced: 2024-10-29T11:42:03.140Z (over 1 year ago)
• Language: Python
• Homepage:
• Size: 813 KB
• Stars: 21
• Watchers: 8
• Forks: 11
• Open Issues: 46
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Code of conduct: docs/CODE-OF-CONDUCT.md
  • Codeowners: docs/CODEOWNERS

Awesome Lists containing this project

README

          
# TUF-on-CI: A TUF Repository and Signing Tool

TUF-on-CI is a secure artifact delivery system that operates on a Continuous Integration

platform. It contains a [TUF](https://theupdateframework.io) repository implementation and an

easy-to-use local signing system that supports hardware keys (e.g. Yubikeys).

TUF-on-CI can be used to publish a TUF repository that contains digitally signed metadata.

Any TUF-compatible download client can use this repository to securely download

the artifacts described in the repository.

This system is highly secure against infrastructure compromise: Even a fully compromised

repository hosting will not lead to compromised downloader clients.

Supported features include:

* Guided signing events for distributed signing

* TUF delegations with signature thresholds

* Signing with hardware keys and Sigstore

* Automated online signing (Google Cloud, Azure, AWS, Sigstore)

* No custom code required

The optimal use case is TUF repositories with a low to moderate frequency of change, both for artifacts and keys.

## Documentation

* [Signer Manual](docs/SIGNER-MANUAL.md)

* [Repository Maintenance Manual](docs/REPOSITORY-MAINTENANCE.md)

* [Developer notes](docs/DEVELOPMENT.md)

## Deployments

![logos](https://github.com/theupdateframework/tuf-on-ci/assets/31889/34eb2a5e-b9a2-41ad-b333-6a28590b17f3)

* The [Sigstore project](https://www.sigstore.dev/) uses tuf-on-ci to manage their TUF repositories in

  [root-signing](https://github.com/sigstore/root-signing) and [root-signing-staging](https://github.com/sigstore/root-signing-staging).

  These repositories are used to deliver the Sigstore root of trust to all sigstore clients.

* GitHub maintains a TUF repository for their

  [Artifact Attestations](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/)

  with tuf-on-ci

* There is also a [demo deployment](https://github.com/jku/tuf-demo/) for the TUF community

## Contact

* We're on [Slack](https://cloud-native.slack.com/archives/C04SHK2DPK9)

* Feel free to file issues if anything is unclear: this is a new project so docs are still lacking

* Email sent to jkukkonen at google.com will be read eventually