uploader API has two POST endpoints
/api/delegation/<ROLE>
Accepts new delegation keys for targetpath "<ROLE>/*" to role <ROLE>.
This data is not signed in any way: In a real service this action would
require some external authentication.
POST content:
{ <KEYID>: <TUF KEY> }
/api/role/<ROLE>
accepts uploads of new versions of <ROLE> metadata. The metadata
must be correctly signed by the keys assigned to this delegation.
POST content:
TUF targets metadata as json
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This is only needed for threshold signing and not even used in the
example: leave it to the implementations to handle for now.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This no longer seems needed: if the metadata store does not contain
a single version of role, then open() can assume it is initializing.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This is a collection of comment, documentation and logging fixes.
The noteworthy part is making it clear that repository is not stable
API yet: I think this is a good idea.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This is not required for the demo but is more realistic: we keep
a cache of targets versions so that we can produce a new snapshot
whenever one is needed, without accessing all of the targets metadata
to do so.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This does not make the examples simpler now, but it will when
there are multiple locations where snapshot/timestamp are called.
* This way the snapshot/timestamp input material is an internal detail
of Repository and the call sites will be simpler.
* Both methods now have a "force" argument that can be used to create a
new version regardless of meta info changes
* but implementations are now required to implement snapshot_info
and targets_infos properties that represent the current snapshot and
targets versions in the repository
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This uses the repository module to create an app that
* generates everything from scratch
* serves metadata and targets from memory
* simulates a live repository by adding new targets every few seconds
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Instead of having duplicate metadata in examples/ and tests/repository_data, retain only the metadata in tests/repository_data and link to them from METADATA.md
