---

Deprecation notice:

The code base of this project got donated to https://github.com/theupdateframework/go-tuf where it replaced the existing implementation and is now being distributed under the v2 version.

That said take into account that I'll be archiving this repository in a few weeks so feel free to switch to https://github.com/theupdateframework/go-tuf/v2

I'm happy to see how something that started as a PoC while being sick with COVID progressed to replacing the existing go-tuf code a year later.

Thanks to everyone that helped.

---

A Framework for Securing Software Update Systems

---

The Update Framework (TUF) is a framework for secure content delivery and updates. It protects against various types of supply chain attacks and provides resilience to compromise.

go-tuf-metadata started from the idea of providing a Go implementation of TUF that is heavily influenced by the design decisions made in python-tuf.

About The Update Framework

---

The Update Framework (TUF) design helps developers maintain the security of a software update system, even against attackers that compromise the repository or signing keys. TUF provides a flexible specification defining functionality that developers can use in any software update system or re-implement to fit their needs.

TUF is hosted by the Linux Foundation as part of the Cloud Native Computing Foundation (CNCF) and its design is used in production by various tech companies and open-source organizations.

Please see TUF's website for more information about TUF!

Overview

---

The go-tuf-metadata project provides the following functionality:

• creation, reading, and writing of metadata
• an easy object-oriented approach for interacting with metadata
• consistent snapshots
• signing and verifying metadata
• ED25519, RSA, and ECDSA key types referenced by the latest TUF specification
• top-level role delegation
• target delegation via standard and hash bin delegations
• support of succinct hash bin delegations which significantly reduce the size of metadata
• support for unrecognized fields within the metadata (i.e. preserved and accessible through root.Signed.UnrecognizedFields["some-unknown-field"], also used for verifying/signing (if included in the Signed portion of the metadata))
• TUF client API
• TUF multi-repository client API (implements TAP 4 - Multiple repository consensus on entrusted targets)

Examples

---

• basic_repository.go example which demonstrates how to manually create and maintain repository metadata using the low-level Metadata API.

To try it - run make example-repository (the artifacts will be located at examples/repository/).

• client_example.go which demonstrates how to implement a client using the updater package.

To try it - run make example-client (the artifacts will be located at examples/client/)

• tuf-client CLI - a CLI tool that implements the client workflow specified by The Update Framework (TUF) specification.

To try it - run make example-tuf-client-cli

• multi-repository client example (TAP4) which demonstrates how to implement a multi-repository TUF client using the multirepo package.

To try it - run make example-multirepo

Package details

---

The metadata package

• The metadata package provides access to a Metadata file abstraction that closely follows the TUF specification’s document formats. This API handles de/serialization to and from files and bytes. It also covers the process of creating and verifying metadata signatures and makes it easier to access and modify metadata content. It is purely focused on individual pieces of Metadata and provides no concepts like “repository” or “update workflow”.

The trustedmetadata package

• A TrustedMetadata instance ensures that the collection of metadata in it is valid and trusted through the whole client update workflow. It provides easy ways to update the metadata with the caller making decisions on what is updated.

The config package

• The config package stores configuration for an Updater instance.

The fetcher package

• The fetcher package defines an interface for abstract network download.

The updater package

• The updater package provides an implementation of the TUF client workflow. It provides ways to query and download target files securely while handling the TUF update workflow behind the scenes. It is implemented on top of the Metadata API and can be used to implement various TUF clients with relatively little effort.

The multirepo package

• The multirepo package provides an implementation of TAP 4 - Multiple repository consensus on entrusted targets. It provides a secure search for particular targets across multiple repositories. It provides the functionality for how multiple repositories with separate roots of trust can be required to sign off on the same targets, effectively creating an AND relation and ensuring any files obtained can be trusted. It offers a way to initialize multiple repositories using a map.json file and also mechanisms to query and download target files securely. It is implemented on top of the Updater API and can be used to implement various multi-repository TUF clients with relatively little effort.

Documentation

---

• go-tuf-metadata documentation

• Introduction to TUF's Design

• The TUF Specification

Contact

---

Questions, feedback, and suggestions are welcomed on the #tuf channel on CNCF Slack.

We strive to make the specification easy to implement, so if you come across any inconsistencies or experience any difficulty, do let us know by sending an email, or by reporting an issue in the GitHub specification repo.