tuftool is a Rust command-line utility for generating and signing TUF repositories.
Installing
To install the latest version of tuftool
:
By default, cargo installs binaries to ~/.cargo/bin
, so you will need this in your path. See the cargo book for more about installing Rust binary crates.
Minimal TUF Repo
The following is an example of how you can create and download a TUF repository using tuftool
.
First, create a working directory:
Create a root.json and Signing Key
For production you may want to use a service like AWS KMS, but for this example we will create keys locally as files:
# we will store our root.json in $WRK/root
# save the path to the root.json we are about to create, we will use it a lot
# we will store our signing keys in $WRK/keys
# instantiate a new root.json
# set the root file's expiration date
# set the signing threshold for each of the standard signing roles. we are saying
# that each of the following roles must have at least 1 valid signature
# create an RSA key and store it as a file. this requires openssl on your system
# this command both creates the key and adds it to root.json for the root role
# for this example we will re-use the same key for the other standard roles
# sign root.json
Create a new TUF Repo
Now that we have a root.json file, we can create and sign a TUF repository.
# create a directory to hold the targets that we will sign. we call this the
# 'input' directory because these are the targets that we want to put into
# our TUF repo
# create the targets that we want in our TUF repo
# create a tuf repo!
# you can see our signed repository's metadata here:
# and you can see our signed repository's targets here:
### Update TUF Repo
# Change one of the target files
# update tuf repo!
Download TUF Repo
Now that we have created TUF repo, we can inspect it using download command. Download command is usually used to download a remote repo using HTTP/S url, but for this example we will use a file based url to download from local repo.
# downlaod tuf repo
HTTP Proxy Support
tuftool
respects the HTTPS_PROXY
and NO_PROXY
environment variables.
Testing
Unit tests are run in the usual manner: cargo test
.
Integration tests require working AWS credentials and are disabled by default behind a feature named integ
.
To run all tests, including integration tests: cargo test --features 'integ'
or AWS_PROFILE=test-profile cargo test --features 'integ'
with specific profile.