python-tuf/docs/INSTALLATION.rst

Installation
============

All versions of ``python-tuf`` can be installed from
`PyPI <https://pypi.org/project/tuf/>`_ with
`pip <https://pip.pypa.io/en/stable/>`_.

::

   python3 -m pip install tuf

By default tuf is installed as pure python package with limited cryptographic
abilities. See `Install with full cryptographic abilities`_ for more options.


Install with full cryptographic abilities
-----------------------------------------

Default installation supports signature verification only, using a pure Python
*ed25519* implementation. While this allows to operate a *basic client* on
almost any computing device, you will need additional cryptographic abilities
for *repository* code, i.e. key and signature generation, additional
algorithms, and more performant backends. Opt-in is available via
``securesystemslib``.

.. note::

   Please consult with underlying crypto backend installation docs. e.g.
   `cryptography <https://cryptography.io/en/latest/installation/>`_
   for possible system dependencies.

::

   python3 -m pip securesystemslib[crypto] tuf


Install for development
-----------------------

To install tuf in editable mode together with development dependencies,
`clone <https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository>`_ the
`python-tuf repository <https://github.com/theupdateframework/python-tuf>`_
from GitHub, change into the project root directory, and install with pip
(using `venv <https://docs.python.org/3/library/venv.html>`_ is recommended).

.. note::

   Development installation will `Install with full cryptographic abilities`_.
   Please check above for possible system dependencies.

::

   python3 -m pip install -r requirements/dev.txt


Application deployment
----------------------

The initial trusted root metadata (``root.json``) is the trust anchor for all
subsequent metadata verification. Applications should deploy a trusted root
with the application and provide it to :class:`tuf.ngclient.Updater`.

Recommended storage locations for bootstrap root metadata include:

* a system-wide read-only path (e.g. ``/usr/share/your-app/root.json``)
* an application bundle with appropriate permissions
* a read-only mounted volume in containerized deployments

Not recommended:

* ``metadata_dir`` (the metadata cache) since it is writable by design
* user-writable install paths (e.g. a user site-packages directory)
* any location writable by the account running the updater

Example::

   from tuf.ngclient import Updater

   with open("/usr/share/your-app/root.json", "rb") as f:
       bootstrap = f.read()

   updater = Updater(
       metadata_dir="/var/lib/your-app/tuf/metadata",
       metadata_base_url="https://example.com/metadata/",
       bootstrap=bootstrap,
   )


Verify release signatures
-------------------------

Releases on PyPI are signed with a maintainer key using
`gpg <https://gnupg.org/>`_  (see
`MAINTAINERS.txt <https://github.com/theupdateframework/python-tuf/blob/develop/docs/MAINTAINERS.txt>`_
for key fingerprints). Signatures can be downloaded from the
`GitHub release <https://github.com/theupdateframework/python-tuf/releases>`_
page (look for *\*.asc* files in the *Assets* section).

Below code shows how to verify the signature of a
`built <https://packaging.python.org/en/latest/glossary/#term-Built-Distribution>`_ distribution,
signed by the maintainer *Lukas Pühringer*. It works
alike for `source  <https://packaging.python.org/en/latest/glossary/#term-Source-Distribution-or-sdist>`_ distributions.

::

   # Get wheel from PyPI and signature from GitHub
   python3 -m pip download --no-deps tuf==0.20.0
   wget https://github.com/theupdateframework/python-tuf/releases/download/v0.20.0/tuf-0.20.0-py3-none-any.whl.asc

   # Get public key, compare fingerprint in MAINTAINERS.txt, and verify with gpg
   gpg --recv-keys 89A2AD3C07D962E8
   gpg --verify tuf-0.20.0-py3-none-any.whl.asc

   # Output:
   # gpg: assuming signed data in 'tuf-0.20.0-py3-none-any.whl'
   # gpg: Signature made Thu Dec 16 09:21:38 2021 CET
   # gpg:                using RSA key 8BA69B87D43BE294F23E812089A2AD3C07D962E8
   # gpg: Good signature from "Lukas Pühringer <lukas.puehringer@nyu.edu>" [ultimate]
Add CONTRIBUTOR.rst and INSTALLATION.rst Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com> 2018-01-23 21:34:27 +00:00			`Installation`
DOC: move full install instructions to INSTALLATION.rst and note that if errors occur while installing the optional crypto dependencies, that the non-Python dependencies section should be consulted. Also adds a git clone step to the development installation instructions in the contributors' instructions, and other minor installation notes for contributors. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com> 2019-04-08 20:27:29 +00:00			`============`
Add CONTRIBUTOR.rst and INSTALLATION.rst Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com> 2018-01-23 21:34:27 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			All versions of ``python-tuf`` can be installed from
			`PyPI <https://pypi.org/project/tuf/>`_ with
			`pip <https://pip.pypa.io/en/stable/>`_.
Add CONTRIBUTOR.rst and INSTALLATION.rst Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com> 2018-01-23 21:34:27 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`::`
DOC: move full install instructions to INSTALLATION.rst and note that if errors occur while installing the optional crypto dependencies, that the non-Python dependencies section should be consulted. Also adds a git clone step to the development installation instructions in the contributors' instructions, and other minor installation notes for contributors. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com> 2019-04-08 20:27:29 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`python3 -m pip install tuf`
DOC: move full install instructions to INSTALLATION.rst and note that if errors occur while installing the optional crypto dependencies, that the non-Python dependencies section should be consulted. Also adds a git clone step to the development installation instructions in the contributors' instructions, and other minor installation notes for contributors. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com> 2019-04-08 20:27:29 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`By default tuf is installed as pure python package with limited cryptographic`
			abilities. See `Install with full cryptographic abilities`_ for more options.
Add CONTRIBUTOR.rst and INSTALLATION.rst Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com> 2018-01-23 21:34:27 +00:00

doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`Install with full cryptographic abilities`
			`-----------------------------------------`
docs: Tweak INSTALLATION.rst * Remove link to outdated roadmap * Link to maintainers file in the same way as two lines earlier * Fix formatting issues with code blocks These fixes allow the installation rst to be used from sphinx sources and from docs root. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com> 2021-08-19 13:20:41 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`Default installation supports signature verification only, using a pure Python`
			`ed25519 implementation. While this allows to operate a basic client on`
			`almost any computing device, you will need additional cryptographic abilities`
			`for repository code, i.e. key and signature generation, additional`
			`algorithms, and more performant backends. Opt-in is available via`
			``securesystemslib``.
Add CONTRIBUTOR.rst and INSTALLATION.rst Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com> 2018-01-23 21:34:27 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`.. note::`
docs: Tweak INSTALLATION.rst * Remove link to outdated roadmap * Link to maintainers file in the same way as two lines earlier * Fix formatting issues with code blocks These fixes allow the installation rst to be used from sphinx sources and from docs root. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com> 2021-08-19 13:20:41 +00:00
requirements: pynacl is no longer needed This is obsolete by now. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> 2024-12-11 08:29:13 +00:00			`Please consult with underlying crypto backend installation docs. e.g.`
			`cryptography <https://cryptography.io/en/latest/installation/>`_
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`for possible system dependencies.`
Update installation instructions to mention extra dependencies Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com> 2018-06-04 18:52:05 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`::`
DOC: move full install instructions to INSTALLATION.rst and note that if errors occur while installing the optional crypto dependencies, that the non-Python dependencies section should be consulted. Also adds a git clone step to the development installation instructions in the contributors' instructions, and other minor installation notes for contributors. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com> 2019-04-08 20:27:29 +00:00
requirements: pynacl is no longer needed This is obsolete by now. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> 2024-12-11 08:29:13 +00:00			`python3 -m pip securesystemslib[crypto] tuf`
DOC: move full install instructions to INSTALLATION.rst and note that if errors occur while installing the optional crypto dependencies, that the non-Python dependencies section should be consulted. Also adds a git clone step to the development installation instructions in the contributors' instructions, and other minor installation notes for contributors. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com> 2019-04-08 20:27:29 +00:00

doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`Install for development`
DOC: move full install instructions to INSTALLATION.rst and note that if errors occur while installing the optional crypto dependencies, that the non-Python dependencies section should be consulted. Also adds a git clone step to the development installation instructions in the contributors' instructions, and other minor installation notes for contributors. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com> 2019-04-08 20:27:29 +00:00			`-----------------------`

doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`To install tuf in editable mode together with development dependencies,`
			`clone <https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository>`_ the
			`python-tuf repository <https://github.com/theupdateframework/python-tuf>`_
			`from GitHub, change into the project root directory, and install with pip`
			(using `venv <https://docs.python.org/3/library/venv.html>`_ is recommended).
DOC: move full install instructions to INSTALLATION.rst and note that if errors occur while installing the optional crypto dependencies, that the non-Python dependencies section should be consulted. Also adds a git clone step to the development installation instructions in the contributors' instructions, and other minor installation notes for contributors. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com> 2019-04-08 20:27:29 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`.. note::`
docs: Tweak INSTALLATION.rst * Remove link to outdated roadmap * Link to maintainers file in the same way as two lines earlier * Fix formatting issues with code blocks These fixes allow the installation rst to be used from sphinx sources and from docs root. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com> 2021-08-19 13:20:41 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			Development installation will `Install with full cryptographic abilities`_.
			`Please check above for possible system dependencies.`
DOC: move full install instructions to INSTALLATION.rst and note that if errors occur while installing the optional crypto dependencies, that the non-Python dependencies section should be consulted. Also adds a git clone step to the development installation instructions in the contributors' instructions, and other minor installation notes for contributors. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com> 2019-04-08 20:27:29 +00:00
doc: update installation documentation Update severely outdated installation documentation. - Simplify "Simple Installation" section - Update "Release Verification" section to actually verify a tuf release and with a key of an active maintainer - Update and simplify section about non-python dependencies (just point to installation instructions for underlying crypto backends, they are up-to-date and have become a lot easier) - Add "Development installation" section Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-09 16:43:19 +00:00			`::`
docs: Tweak INSTALLATION.rst * Remove link to outdated roadmap * Link to maintainers file in the same way as two lines earlier * Fix formatting issues with code blocks These fixes allow the installation rst to be used from sphinx sources and from docs root. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com> 2021-08-19 13:20:41 +00:00
build: shorten requirements file names Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> 2023-02-06 11:18:19 +00:00			`python3 -m pip install -r requirements/dev.txt`
doc: move verify section in install docs Move release signature verification instructions to bottom of install docs. The doc is short, so the section is still prominent enough for promoting verification, but does not break the reading flow as much anymore. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-10 09:07:13 +00:00

address review feedback: remove redundant root.json writes, rename docs section Signed-off-by: 1seal <security@1seal.org> 2026-02-06 12:58:53 +00:00			`Application deployment`
			`----------------------`
feat(ngclient): require explicit bootstrap argument make bootstrap required and explicit: callers must pass bootstrap=<root_bytes> or bootstrap=None. also tighten docs, examples, and tests to reflect the explicit trust anchor choice. Signed-off-by: 1seal <security@1seal.org> 2026-01-25 11:50:37 +00:00
			The initial trusted root metadata (``root.json``) is the trust anchor for all
			`subsequent metadata verification. Applications should deploy a trusted root`
			with the application and provide it to :class:`tuf.ngclient.Updater`.

			`Recommended storage locations for bootstrap root metadata include:`

			* a system-wide read-only path (e.g. ``/usr/share/your-app/root.json``)
			`* an application bundle with appropriate permissions`
			`* a read-only mounted volume in containerized deployments`

			`Not recommended:`

			* ``metadata_dir`` (the metadata cache) since it is writable by design
			`* user-writable install paths (e.g. a user site-packages directory)`
			`* any location writable by the account running the updater`

			`Example::`

			`from tuf.ngclient import Updater`

			`with open("/usr/share/your-app/root.json", "rb") as f:`
			`bootstrap = f.read()`

			`updater = Updater(`
			`metadata_dir="/var/lib/your-app/tuf/metadata",`
			`metadata_base_url="https://example.com/metadata/",`
			`bootstrap=bootstrap,`
			`)`


doc: move verify section in install docs Move release signature verification instructions to bottom of install docs. The doc is short, so the section is still prominent enough for promoting verification, but does not break the reading flow as much anymore. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> 2022-02-10 09:07:13 +00:00			`Verify release signatures`
			`-------------------------`

			`Releases on PyPI are signed with a maintainer key using`
			`gpg <https://gnupg.org/>`_ (see
			`MAINTAINERS.txt <https://github.com/theupdateframework/python-tuf/blob/develop/docs/MAINTAINERS.txt>`_
			`for key fingerprints). Signatures can be downloaded from the`
			`GitHub release <https://github.com/theupdateframework/python-tuf/releases>`_
			`page (look for \.asc* files in the Assets section).`

			`Below code shows how to verify the signature of a`
			`built <https://packaging.python.org/en/latest/glossary/#term-Built-Distribution>`_ distribution,
			`signed by the maintainer Lukas Pühringer. It works`
			alike for `source <https://packaging.python.org/en/latest/glossary/#term-Source-Distribution-or-sdist>`_ distributions.

			`::`

			`# Get wheel from PyPI and signature from GitHub`
			`python3 -m pip download --no-deps tuf==0.20.0`
			`wget https://github.com/theupdateframework/python-tuf/releases/download/v0.20.0/tuf-0.20.0-py3-none-any.whl.asc`

			`# Get public key, compare fingerprint in MAINTAINERS.txt, and verify with gpg`
			`gpg --recv-keys 89A2AD3C07D962E8`
			`gpg --verify tuf-0.20.0-py3-none-any.whl.asc`

			`# Output:`
			`# gpg: assuming signed data in 'tuf-0.20.0-py3-none-any.whl'`
			`# gpg: Signature made Thu Dec 16 09:21:38 2021 CET`
			`# gpg: using RSA key 8BA69B87D43BE294F23E812089A2AD3C07D962E8`
			`# gpg: Good signature from "Lukas Pühringer <lukas.puehringer@nyu.edu>" [ultimate]`