jku / tuf-demo

An automated TUF repository demo
https://jku.github.io/tuf-demo/metadata/
6 stars 3 forks source link
tuf

TUF repository demo

This is a live TUF repository, intended for testing and demonstrations. It's maintained with TUF-on-CI.

The goals of this project are:

Being a secure delivery mechanism for any specific artifacts is not a goal: this is a demo. If you have questions, the TUF-on-CI slack is a good place.

Becoming a signer

We'll try to offer anyone in the TUF community the ability to add and modify artifacts in this repository.

The process is not formalized yet but if you'd like to become a signer please open an issue and we'll go from there:

Using the repository with a TUF client

The repository is published at https://jku.github.io/tuf-demo. Metadata and artifacts are in subdirectories metadata and targets respectively (so as an example current timestamp metadata is found in https://jku.github.io/tuf-demo/metadata/timestamp.json).

A Python example client is provided below but any TUF client should work.

Example Python client ```python # Example client for https://jku.github.io/tuf-demo repository # Usage example: ./client.py file1.txt import os, requests, sys from tuf.ngclient import Updater url = "https://jku.github.io/tuf-demo/" metadata_dir = "/tmp/tuf-demo/" if len (sys.argv) != 2: sys.exit(f"Usage: {sys.argv[0]} ") # Trust-on-first-use: Download initial root metadata if it's not available if not os.path.exists(f"{metadata_dir}/root.json"): os.makedirs(metadata_dir, exist_ok=True) with open(f"{metadata_dir}/root.json", "wb") as f: f.write(requests.get(f"{url}/metadata/1.root.json").content) # Download target securely using python-tuf updater = Updater( metadata_dir=metadata_dir, metadata_base_url=f"{url}/metadata/", target_dir="./", target_base_url=f"{url}/targets/" ) info = updater.get_targetinfo(sys.argv[1]) if not info: print(f"'{sys.argv[1]}' not found") sys.exit() path = updater.find_cached_target(info) if path: print(f"'{path}' is already up-to-date") sys.exit() path = updater.download_target(info) print(f"Downloaded '{path}'") ```