search

dennisvang / tufup

Automated updates for stand-alone Python applications.
MIT License
90 stars 1 forks source link

Support custom metadata objects. #100

Closed dennisvang closed 8 months ago

dennisvang commented 8 months ago

Custom metadata as described in the TUF spec can be specified when adding a new bundle to a repository, for example:

...
repo.add_bundle(
    new_version='2.3.4',
    new_bundle_dir='dist/myapp',
    custom_metadata_for_archive=None,  # optional
    custom_metadata_for_patch=dict(foo='bar', ...),  # optional
)
...

The custom metadata ends up in the targets.json file as follows:

{
  "signatures": [
    "..."
  ],
  "signed": {
    "...": "...",
    "targets": {
      "...": {},
      "myapp-2.3.4.patch": {
        "custom": {
          "foo": "bar"
        },
        "hashes": {
          "sha256": "..."
        },
        "length": 18709
      },
      "...": {}
    }
  }
}

On the client side, this metadata is made available via the TargetMeta class. For example, 

...
new_target_meta = client.check_for_updates()
if new_target_meta:
    ...
    if new_target_meta.custom:
        ...

fixes #99

dennisvang commented 8 months ago

Note the CLI does not support custom metadata yet.

We could introduce an extra CLI option that allows the user to specify a summary message, for example.

Although possible, I think anything more complex, like writing json on the command line, would become cumbersome and error prone.