From b8bec7be7d1d22c551c4b52c2477af632a45a713 Mon Sep 17 00:00:00 2001 From: Vladimir Diaz Date: Wed, 27 Jun 2018 10:40:40 -0400 Subject: [PATCH 1/2] Relocate the --sign section, add line breaks, and minor revision to text Signed-off-by: Vladimir Diaz --- docs/CLI.md | 49 ++++++++++++++++++++++++------------------------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/docs/CLI.md b/docs/CLI.md index 14a75271..87a146ce 100644 --- a/docs/CLI.md +++ b/docs/CLI.md @@ -8,7 +8,7 @@ The CLI requires a few dependencies and C extensions that can be installed with [CLI_EXAMPLES.md](CLI_EXAMPLES.md) covers more complex examples. - +---- ## Create a repository ## Create a TUF repository in the current working directory. A cryptographic key @@ -35,8 +35,8 @@ $ repo.py --init [--targets_pw, --root_pw, --snapshot_pw, --timestamp_pw] -Create a TUF repository in the current working directory. A cryptographic key -is *not* created nor set for each top-level role. +Create a bare TUF repository in the current working directory. A cryptographic +key is *not* created nor set for each top-level role. ```Bash $ repo.py --init --bare ``` @@ -54,7 +54,6 @@ $ repo.py --init --consistent - ## Add a target file ## Copy a target file to the repo and add it to the Targets metadata (or the @@ -75,9 +74,6 @@ $ repo.py --add --path - - - ## Remove a target file ## Remove a target file from the Targets metadata (or the Targets role specified @@ -131,6 +127,24 @@ Confirm: +## Sign metadata ## +Sign, with the specified key(s), the metadata of the role indicated in --role. +The Snapshot and Timestamp role are also automatically signed, if possible, but +this behavior can be disabled with --no_release. +```Bash +$ repo.py --sign ... [--role , --path ] +``` + +For example, to sign the delegated `foo` metadata: +```Bash +$ repo.py --sign /path/to/foo_key --role foo +``` + +Note: In the future, the user might have the option of disabling automatic +signing of Snapshot and Timestamp metadata. + + + ## Trust keys ## The Root role specifies the trusted keys of the top-level roles, including @@ -148,6 +162,8 @@ $ repo.py --trust --pubkeys tufkeystore/my_key.pub tufkeystore/my_key_too.pub --role root ``` + + ### Distrust keys ### Conversely, the Root role can discontinue trust of specified key(s). @@ -159,24 +175,6 @@ $ repo.py --distrust --pubkeys tufkeystore/my_key_too.pub --role root -## Sign metadata ## -Sign, with the specified key(s), the metadata of the role indicated in --role. -The Snapshot and Timestamp role are also automatically signed, if possible, but -this behavior can be disabled with --no_release. -```Bash -$ repo.py --sign ... [--role , --path ] -``` - -For example, to sign the delegated `foo` metadata: -```Bash -$ repo.py --sign /path/to/foo_key --role foo -``` - -Note: In the future, the user might have the option of disabling automatic -signing of Snapshot and Timestamp metadata. - - - ## Delegation ## Delegate trust of target files from the Targets role (or the one specified in @@ -237,3 +235,4 @@ $ repo.py --clean $ repo.py --clean --path ``` (--clean by itself removes TUF files from the current working directory.) +---- From 46a624f897a0d64a20c42fdc05b1c468001dde91 Mon Sep 17 00:00:00 2001 From: Vladimir Diaz Date: Wed, 27 Jun 2018 11:21:35 -0400 Subject: [PATCH 2/2] Revise 'clean' section, modify a couple headings, and minor tweaks to text Signed-off-by: Vladimir Diaz --- docs/CLI.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs/CLI.md b/docs/CLI.md index 87a146ce..29ffcca5 100644 --- a/docs/CLI.md +++ b/docs/CLI.md @@ -24,7 +24,7 @@ Optionally, the repository can be written to a specified location. $ repo.py --init --path ``` -Note: The default top-level key files created with `--init` are saved to disk +The default top-level key files created with `--init` are saved to disk encrypted, with a default password of 'pw'. Instead of using the default password, the user can enter one on the command line for each top-level role. These optional command-line options also work with other CLI actions (e.g., @@ -102,10 +102,11 @@ $ repo.py --remove "*" --role my_role --sign tufkeystore/my_role_key Generate a cryptographic key. The generated key can later be used to sign specific metadata with `--sign`. The supported key types are: `ecdsa`, `ed25519`, and `rsa`. If a keytype is not given, an Ed25519 key is generated. -Note: If adding a top-level key to a bare repo (i.e., repo.py --init --bare), -the top-level keys should be named "root_key," "targets_key," "snapshot_key," -"timestamp_key." Additional top-level keys may be named anything, and must be -used with --sign. + +If adding a top-level key to a bare repo (i.e., repo.py --init --bare), +the filenames of the top-level keys must be "root_key," "targets_key," +"snapshot_key," "timestamp_key." The filename can vary for any additional +top-level key. ```Bash $ repo.py --key $ repo.py --key @@ -140,9 +141,6 @@ For example, to sign the delegated `foo` metadata: $ repo.py --sign /path/to/foo_key --role foo ``` -Note: In the future, the user might have the option of disabling automatic -signing of Snapshot and Timestamp metadata. - ## Trust keys ## @@ -175,7 +173,7 @@ $ repo.py --distrust --pubkeys tufkeystore/my_key_too.pub --role root -## Delegation ## +## Delegations ## Delegate trust of target files from the Targets role (or the one specified in --role) to some other role (--delegatee). --delegatee is trusted to sign for @@ -199,7 +197,7 @@ $ repo.py --delegate "foo*.tgz" --delegatee foo --pubkeys tufkeystore/foo.pub -## Revocation ## +## Revocations ## Revoke trust of target files from a delegated role (--delegatee). The "targets" role performs the revocation if --role is not specified. The @@ -230,9 +228,13 @@ $ repo.py --verbose <0-5> ## Clean ## Remove the files created via `repo.py --init`. + +Delete the repo in the current working directory, or the one specified with +`--path`. Specifically, the `tufrepo`, `tufclient`, and `tufkeystore` +directories are deleted. + ```Bash $ repo.py --clean $ repo.py --clean --path ``` -(--clean by itself removes TUF files from the current working directory.) ----