Lighter installation of TUF

[trishankatdatadog]

Description of issue or feature request:

Right now, TUF assumes that a default installation requires compilation of cryptographic libraries in order to mitigate side-channel attacks on the repository and / or developer tools.

I think we should consider allowing installing for a "light" version of TUF on clients that would not sign anything, but rather check signatures using only pure Python Ed25519 modules.

Current behavior:

TUF requires compiling cryptographic libraries in order to be used at all.

Expected behavior:

TUF should provide an option to support verifying Ed25519 signatures in pure Python, without compiling and installing native-code crypto libraries.

[vladimir-v-diaz]

@trishankatdatadog

I was able to perform a client update in pure python with secure-systems-lab/securesystemslib#149.

Although I haven't made a new release of securesystemslib that contains the change, and the change hasn't been fully unit tested (working on that now), you should be able to give it a try yourself.

The expected installation commands:
pip install tuf should successfully install securesystemslib without needing to install cryptography, pynacl, and colorama. Clients are only able to verify Ed25519 keys, by default. For users who wish to fully support RSA and ECDSA keys, including the repo tool, they must issue the following commands:

pip install securesystemslib['crypto'] (installs cryptography and colorama)
pip install securesystemslib['pynacl] (installs pynacl, but not cryptography. This is intended for those users who want to verify ed25519 signatures with the C extensions).

[vladimir-v-diaz]

Here's the output from my testing of #727:

(pure_ed25519) $ client.py --repo http://localhost:8001 testfile
(pure_ed25519) $ ls tuftargets/
testfile
(pure_ed25519) $ pip freeze
asn1crypto==0.24.0
cffi==1.11.5
enum34==1.1.6
idna==2.6
ipaddress==1.0.22
iso8601==0.1.12
pycparser==2.18
-e git+git@github.com:vladimir-v-diaz/securesystemslib.git@264cdbef13e00c0b71ecaa44b135fb9f62613ed5#egg=securesystemslib
six==1.11.0
tuf==0.11.0
(pure_ed25519) $

Note: cryptography, pynacl, and colorama are not installed.

[trishankatdatadog]

Very nice, thanks, Vlad!

[vladimir-v-diaz]

@trishankatdatadog
Should I merge the changes in secure-systems-lab/securesystemslib#149 and cut a new release? The SSL release will also contain your changes in secure-systems-lab/securesystemslib#148.

in-toto does indeed require the cryptography dependency, but it appears it only needs it for GPG support. I suppose GPG support can be added to SSL.

Note: We have a summer intern who might be able to help.

[trishankatdatadog]

Yeah, please go ahead and merge, though we're going to need another SSLib release, so maybe let's hold off the release at least?

Good to hear about the intern!

[vladimir-v-diaz]

The setup.py and requirements files were updated to support SSLib v0.11.2 and a lighter installation of crypto routines. See #739.

I also made a dev release (v0.12.dev0) that can be used for testing. It is available on PyPI, which you can install with pip install --pre.

Cheers! Closing this issue as addressed.

[trishankatdatadog]

Thanks @vladimir-v-diaz you have been very helpful! 🙇