Convert Figma logo to code with AI

theupdateframework logopython-tuf

Python reference implementation of The Update Framework (TUF)

1,667
279
1,667
59
View on GitHub

Top Related Projects

notaryproject's avatar

notary

3,276

Notary is a project that allows anyone to have trust over arbitrary collections of data

pypa's avatar

twine

1,693

Utilities for interacting with PyPI

Quick Overview

The Python-TUF project is a Python implementation of The Update Framework (TUF), a secure software update framework that aims to protect software distribution and update systems from a variety of attacks. It provides a set of libraries and tools to help developers build secure software update systems.

Pros

  • Secure by Design: Python-TUF is designed with security in mind, implementing best practices and recommendations from the TUF specification to protect against various attacks.
  • Flexible and Extensible: The project is designed to be flexible and extensible, allowing developers to customize and extend the framework to fit their specific needs.
  • Cross-Platform Compatibility: Python-TUF is written in Python and can be used on a variety of platforms, including Windows, macOS, and Linux.
  • Active Development and Community: The project is actively maintained and has a growing community of contributors and users.

Cons

  • Complexity: Implementing a secure software update system can be a complex task, and Python-TUF may have a steep learning curve for some developers.
  • Performance Overhead: The security features provided by Python-TUF may come with some performance overhead, which could be a concern for certain applications.
  • Limited Documentation: While the project has good documentation, some users may find it lacking in certain areas or may have difficulty getting started.
  • Dependency on Python: As a Python-based project, Python-TUF is dependent on the Python runtime and may not be suitable for all use cases.

Code Examples

Here are a few code examples demonstrating how to use Python-TUF:

  1. Initializing a TUF Repository:
from tuf.repository_tool import create_new_repository
repo = create_new_repository('/path/to/repository')

This code creates a new TUF repository at the specified path.

  1. Adding a Target File:
from tuf.repository_tool import add_target
repo.add_target('example.tar.gz', {'length': 1234, 'hashes': {'sha256': 'abc123'}})
repo.write()

This code adds a new target file to the TUF repository and writes the changes to disk.

  1. Signing a Metadata File:
from tuf.repository_tool import generate_and_write_rsa_keypair
generate_and_write_rsa_keypair('/path/to/key.pub', '/path/to/key.pri')
repo.timestamp.load_signing_key('/path/to/key.pri')
repo.timestamp.sign()
repo.write()

This code generates a new RSA key pair, loads the private key, signs the timestamp metadata file, and writes the changes to disk.

Getting Started

To get started with Python-TUF, follow these steps:

  1. Install the required dependencies:
pip install tuf
  1. Create a new TUF repository:
from tuf.repository_tool import create_new_repository
repo = create_new_repository('/path/to/repository')
  1. Add target files to the repository:
from tuf.repository_tool import add_target
repo.add_target('example.tar.gz', {'length': 1234, 'hashes': {'sha256': 'abc123'}})
repo.write()
  1. Generate and load signing keys:
from tuf.repository_tool import generate_and_write_rsa_keypair
generate_and_write_rsa_keypair('/path/to/key.pub', '/path/to/key.pri')
repo.timestamp.load_signing_key('/path/to/key.pri')
repo.timestamp.sign()
repo.write()
  1. Serve the repository content and metadata:
# Use a web server to serve the repository content and metadata
  1. Configure a client to download and verify updates using the TUF metadata:
from tuf.client.updater import Updater
updater = Updater('/path/to/repository')
target = updater.get_one_valid_target('example.tar.gz')
target.download('/path/to/download')

For more detailed information, please refer to the [Python-

Competitor Comparisons

notaryproject logo

notary

3,276

Notary is a project that allows anyone to have trust over arbitrary collections of data

Pros of Notary

  • Written in Go, offering better performance and concurrency
  • Designed specifically for Docker content trust, providing seamless integration
  • Supports multiple key types and signing algorithms

Cons of Notary

  • Less flexible than python-tuf for non-Docker use cases
  • Smaller community and fewer contributors compared to python-tuf
  • More complex setup and configuration process

Code Comparison

python-tuf example:

from tuf import repository_tool

repository = repository_tool.load_repository('path/to/repository')
targets = repository.targets
targets.add_target('example.txt', 'path/to/example.txt')
repository.writeall()

Notary example:

package main

import (
    "github.com/theupdateframework/notary/client"
)

func main() {
    notaryRepo, _ := client.NewNotaryRepository("example.com", "gun", "https://notary.example.com", nil, nil)
    target := client.Target{Name: "example.txt", Hashes: make(map[string][]byte), Length: 1234}
    notaryRepo.AddTarget(&target, nil)
}

The code examples demonstrate basic target addition in both projects. python-tuf uses a more straightforward approach, while Notary requires more setup and configuration due to its focus on Docker content trust.

pypa logo

twine

1,693

Utilities for interacting with PyPI

Pros of twine

  • Simpler and more focused on PyPI package uploading
  • Widely adopted in the Python packaging ecosystem
  • Easier to use for developers new to package distribution

Cons of twine

  • Limited to Python package distribution
  • Lacks advanced security features for supply chain protection
  • Does not provide a comprehensive framework for secure updates

Code Comparison

twine:

from twine.commands.upload import upload
upload(["dist/*"], repository="pypi")

python-tuf:

from tuf.repository_tool import create_new_repository
repository = create_new_repository("repository")
repository.root.add_verification_key(public_key)
repository.snapshot.load_signing_key(private_key)

The code snippets demonstrate the different focus areas of the two projects. twine is centered around simplifying package uploads, while python-tuf provides a more comprehensive framework for secure software updates and distribution.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

TUF A Framework for Securing Software Update Systems

CI badge Conformance badge Coveralls badge Docs badge CII badge PyPI badge Scorecard badge

The Update Framework (TUF) is a framework for secure content delivery and updates. It protects against various types of supply chain attacks and provides resilience to compromise. This repository is a reference implementation written in Python. It is intended to conform to version 1.0 of the TUF specification.

Python-TUF provides the following APIs:

  • tuf.api.metadata, a "low-level" API, designed to provide easy and safe access to TUF metadata and to handle (de)serialization from/to files.
  • tuf.ngclient, a client implementation built on top of the metadata API.
  • tuf.repository, a repository library also built on top of the metadata API. This module is currently not considered part of python-tuf stable API.

The reference implementation strives to be a readable guide and demonstration for those working on implementing TUF in their own languages, environments, or update systems.

About The Update Framework

The Update Framework (TUF) design helps developers maintain the security of a software update system, even against attackers that compromise the repository or signing keys. TUF provides a flexible specification defining functionality that developers can use in any software update system or re-implement to fit their needs.

TUF is hosted by the Linux Foundation as part of the Cloud Native Computing Foundation (CNCF) and its design is used in production by various tech companies and open source organizations. A variant of TUF called Uptane is used to secure over-the-air updates in automobiles.

Please see TUF's website for more information about TUF!

Documentation

Contact

Questions, feedback, and suggestions are welcomed on our low volume mailing list or the #tuf channel on CNCF Slack.

We strive to make the specification easy to implement, so if you come across any inconsistencies or experience any difficulty, do let us know by sending an email, or by reporting an issue in the GitHub specification repo.

Security Issues and Bugs

See SECURITY.md

License

This work is dual-licensed and distributed under the (1) MIT License and (2) Apache License, Version 2.0. Please see LICENSE-MIT and LICENSE.

Acknowledgements

This project is hosted by the Linux Foundation under the Cloud Native Computing Foundation. TUF's early development was managed by members of the Secure Systems Lab at New York University. We appreciate the efforts of all maintainers and emeritus maintainers, as well as the contributors Konstantin Andrianov, Kairo de Araujo, Ivana Atanasova, Geremy Condra, Zane Fisher, Pankhuri Goyal, Justin Samuel, Tian Tian, Martin Vrachev and Yuyu Zheng who are among those who helped significantly with TUF's reference implementation. Maintainers and Contributors are governed by the CNCF Community Code of Conduct.

This material is based upon work supported by the National Science Foundation under Grant Nos. CNS-1345049 and CNS-0959138. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.