Support the following installation setup:
# Minimal install intended for clients (pure Python, only ed25519 signatures).
pip install tuf
# Optional installation required by the TUF repository tools (RSA keys and rsassa-pss
# signatures, faster ed25519 cryptographic computations, general-purpose cryptography, etc.)
pip install tuf[tools]
Re-implement the fix for issue #167.
Update comments and docstrings related to the fixes above.
Add setuptools' find_packages() to avoid repeated updates to the list of packages.
Add setup() arguments, such as classifiers (Trove classifiers used for project classification and searching), keywords, and extra requirements.
Add pip requirements installation file.
Update supported tuf installation options:
Installing from pip and installing an extras requirement (pip install tuf[fast_ed25519]).
Update modules affected by the changes made to the latest versions of pyca-ed25519 and pyca-pynacl:
Do not use the unsafe key and signature generation functions of pure python ed25519, but do support the signature verification routine. Developers must use the faster and secure pynacl+libsodium to generate ed25519 keys and signatures.
Temporarily suppress pynacl's import warning error.
Minor edits to comments and code.
Remove find-code.sh
Note: We are replacing find-code.sh because git-grep does the same, and more. Also, a development script unrelated to TUF should probably not be included in the source. Developers who may modify the source are likely to have their preferred way of doing things.
Thanks given to Trishank, Santiago, Justin, Zane, Monzur, Lai, Dennis, and the appsec students for reviewing & testing the changes made in this pull request.
Minor updates to comments of the previous repository_tool.py commit.
Update repository_tool-diagram.png to list disable_console_log_messages().
Rename disable_console_messages().
repository_tool.py methods that add keys to roles should also log a warning if it detects a shared key.
Add a console handler, and a function to disable it, to repository_tool.py.
Update _delete_obsolete_metatadata() docstring and comments in repository_tool.py.
Rename the unused 'json_object' variable in util.py.
Roles are allowed to share verification keys. Update repository_tool.py so that the targets role can successfully load an already recognized key when loading a repository. Reported by Santiago.
Properly strip (again) the digest prepended to 'digest.filename' files.
The required '+1' appears to have been accidentally deleted in a recent commit:
298f52ddb8 (diff-59d384d80d746c800b16c8387756c0ccL2750)
Thanks to Santiago for locating the bug.
The previous exception raised when a non-signing key is loaded may be misinterpreted:
tuf.Error: The private key is unavailable.
Changed to: This is not a private key.
Santiago's request: The key-removal methods in repository_tool.py should raise an exception if the key argument has not been previously loaded. They previously returned silently if the key was not found.
Update repository_tool.py and keys.py functions that import rsa publickey files. Perform a simple check of the PEM string so that an improperly formatted PEMis detected sooner. Reported by Santiago.
The layout_type flag is used to decide whether a regular directory
structure is going to be used. This means, that if the targets folder is
under the metadata_directory tree or not. This flag lets the project
module decide in which places to locate metadata (i.e. if it needs a
metadata subdirectory or not).
Also fixed stability issues, in which the delegated target files didn't
lose their prefix.
Add missing comments for three of the arguments in generate_snapshot_metadata()'s docstring.
Expand docstring comment in non-public function and mention that temporary metadata is generated to a temporary location.
Minor cosmetic changes.
Update the expected use of the repository_tool.py module and list the modules that may be used in TUF integrations, which the repository tool does not handle.Rewrite the sentence that mentions the integration tools so that it does not appear to be out of context.
Load_project(path) now loads a projects metadata and builds the
corresponding object. Methods to save supporting metadata in the
project.cfg file were also refined
Update the remaining unit tests following the many design changes. The unit tests should next be factored to use repository_tool.py, avoid pseudo repositories and repository objects, monkey patching, etc.
