Add a more complicated repo example with the CLI

Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com>
This commit is contained in:
Vladimir Diaz 2018-04-10 15:19:04 -04:00
parent c302bf6c36
commit 416c0d75cc
No known key found for this signature in database
GPG key ID: 5DEE9B97B0E2289A

View file

@ -51,6 +51,9 @@ $ tree .
## Replace a top-level key ##
Note: The top-level keys should be named "root_key," "targets_key," "snapshot_key,"
and "root_key." Additional top-level keys may be named anything, and must
be used with --sign.
```Bash
$ repo.py --init
@ -63,16 +66,91 @@ Enter a password for the encrypted key (tufkeystore/root_key):
## A more complicated example ##
(1) create a bare repo (2) add keys to the top-level roles (3) delegate
trust of particular target files to another role X, where role X has a
signature threshold >1 and is marked as a terminating delegation (4) create a
subdelegation Y (5) have role X sign for a file also trusted and signed by role Y, to
demonstrate the expected file that should be downloaded by clients (6)
perform an update (7) revoke Y (8) show update behavior after Y's revocation.
(1) create a bare repo (2) add keys to the top-level roles (3) delegate trust
of particular target files to another role X, where role X has a signature
threshold 2 and is marked as a terminating delegation (4) Delegate from role X
to role Y. (5) have role X sign for a file also signed by the Targets role, to
demonstrate the expected file that should be downloaded by the client (6)
perform an update (7) halt the server, add README.txt to the Targets role,
restart server, and fetch the Target's role README.txt (8) Add LICENSE to
yrole and demonstate that the client must not fetch it because xrole is
a terminating delegation (and hasn't signed for it).
(1) and (2)
```Bash
$ repo.py --init --consistent --bare
$ repo.py --key ed25519 --filename root_key
$ repo.py --trust --pubkeys tufkeystore/root_key.pub --role root
$ repo.py --key ecdsa --filename targets_key
$ repo.py --trust --pubkeys tufkeystore/targets_key.pub --role targets
$ repo.py --key rsa --filename snapshot_key
$ repo.py --trust --pubkeys tufkeystore/snapshot_key.pub --role snapshot
$ repo.py --key ecdsa --filename timestamp_key
$ repo.py --trust --pubkeys tufkeystore/timestamp_key.pub --role timestamp
$ repo.py --sign tufkeystore/root_key --role root
Enter a password for the encrypted key (tufkeystore/root_key):
$ repo.py --sign tufkeystore/targets_key --role targets
Enter a password for the encrypted key (tufkeystore/targets_key):
```
(3) and (4)
```Bash
$ repo.py --delegate "README.*" "LICENSE" --delegatee xrole --pubkeys
tufkeystore/xkey.pub tufkeystore/xkey2.pub --threshold 2 --terminating
$ repo.py --sign tufkeystore/xkey tufkeystore/xkey2 --role xrole
$ repo.py --key ed25519 --filename ykey
$ repo.py --delegate "README.*" "LICENSE" --delegatee yrole --role xrole
--pubkeys tufkeystore/ykey.pub --sign tufkeystore/xkey tufkeystore/xkey2
$ repo.py --sign tufkeystore/ykey --role yrole
```
(5) and (6)
```Bash
$ echo "xrole's readme" > README.txt
$ repo.py --add README.txt --role xrole --sign tufkeystore/xkey tufkeystore/xkey2
```
Serve the repo
```Bash
$ cd tufrepo/
$ python -m SimpleHTTPServer 8001
```
Fetch the xrole's README.txt
```Bash
$ client.py --repo http://localhost:8001 README.txt
$ cat tuftargets/README.txt
xrole's readme
```
(7)
```Bash
$ repo.py --init --bare
halt server...
$ echo "Target role's readme" > README.txt
$ repo.py --add README.txt
restart server...
```
```Bash
$ rm -rf tuftargets/ tuf.log
$ client.py --repo http://localhost:8001 README.txt
$ cat tuftargets/README.txt
Target role's readme
```
(8)
```Bash
$ echo "yrole's license" > LICENSE
$ repo.py --add LICENSE --role yrole --sign tufkeystore/ykey
```
```Bash
$ rm -rf tuftargets/ tuf.log
$ client.py --repo http://localhost:8001 LICENSE
Traceback (most recent call last):
...
tuf.exceptions.UnknownTargetError: 'LICENSE' not found.
```