search

theupdateframework / go-tuf

Go implementation of The Update Framework (TUF)
https://theupdateframework.com
Apache License 2.0
625 stars 105 forks source link

Offline flow requires repo for tuf payload #545

Closed udf2457 closed 8 months ago

udf2457 commented 1 year ago

The readme describes an offline flow that uses tuf payload root.json > root.json.payload as a starting point.

However for reasons I don't understand tuf payload appears to require the directory structure to be present (i.e. root.json in staged/root.json).

If you run tuf payload root.json on a file on its own, you are given an error ERROR: tuf: missing metadata file root.json.

However if you tuf init and copy the same root.json into staged/root.json, then tuf payload root.json returns as expected.

My understanding is that tuf payload is doing little more than parsing root.json and outputting the payload for signing. If this is the case, then surely as long as root.json is correctly formatted then the dependency on a TUF directory structure should be optional, not mandatory ?

rdimitrov commented 8 months ago

Closing since the code base changed and the goal of the project would be to focus on being a library first and not so much on providing a CLI client.

There might be a CLI based on this, but it will live in a separate repository.

Thanks for raising this 👍