This change verifies that when local metadata has expired, it is
still used to verify new metadata that's pulled from remote
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
This tests that an expired timestamp/snapshot/targets when loaded
from cache is not stored as final but is used to verify the new
timestamp
Fixes#1681
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
This test covers `targetinfo`, `target_path`, `target_base_url`,
`metadata_dir` and `filepath` input validation of the `Updater`
methods
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
Change to @lukpueh proposal with more clarification on why and how
the `securesystemslib.signer.Signer` interface is used
Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
This change updates some parts of the Metadata API docstrings
that did not give enough details and context
Fixes#1600
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
Fix the directory ignore patterns to ignore the entire directories,
including child directories.
https://git-scm.com/docs/gitignore#_pattern_format
Co-authored-by: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
Setting upper bound version constraints in libraries is a source of
problems for users of those libraries, see:
https://iscinumpy.dev/post/bound-version-constraints/
The intent of the python-tuf version constraint is to ensure we're
using a version of Python which supports all the features we rely
on, this is a better fit for a lower limit.
Suggested-by: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
Enable tox isolated environments to perform build operations in a virtual
environment.
See https://tox.wiki/en/latest/config.html#conf-isolated_build
Co-Authored-By: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
The version is no longer duplicated in setup.cfg (since 5155ba74), so remove
redundant TODO suggesting folks update in two places.
Co-authored-by: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
* version number is single sourced now
* Mention that using pip against test.pypi.org is unsafe
* Fix some filenames in the examples
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
As of setuptools 46.4.0, one can accomplish single source version
number with
version = attr: package.__version__
in setup.cfg: As long as setuptools simplified AST parser is able to
read the file, this works without actually importing anything.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
After we have dropped OrderedDict in e3b267e2e0
we are relying on python3.7+ default behavior to preserve the insertion
order, but there is one caveat.
When comparing dictionaries the order is still irrelevant compared to
OrderedDict. For example:
>>> OrderedDict([(1,1), (2,2)]) == OrderedDict([(2,2), (1,1)])
False
>>> dict([(1,1), (2,2)]) == dict([(2,2), (1,1)])
True
There are two special attributes, defined in the specification, where
the order makes a difference when comparing two objects:
- Metadata.signatures
- Targets.delegations.roles.
We want to make sure that the order in those two cases makes a
difference when comparing two objects and that's why those changes
are required inside two __eq__ implementations.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Test the "__eq__" implementation for all classes defined in
tuf/api/metadata.py
The tests are many but simple. The idea is to test each of the metadata
classes one by one and with this to make sure there are no possible
cases missed.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
By adding __eq__ we can compare that two objects are equal.
That will be useful when adding validation API call.
One bug I have found during testing is that I don't check if the type
of "other" in the __eq__ implementations are the expected ones.
I assumed that when comparing "root == obj" if "obj" is None that
automatically the result will be false.
Later after a mypy warning, I realized we should implement the __eq__
methods to accept "Any" type as other and we should check manually
that "other" is the expected type.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Minima theme by default adds all files in blog root (docs/) as links in
the header. This looks ridiculous in our case: let's just have a link to
blog front page.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Add config for GitHub Pages so that we can use it as a project blog.
* _config.yml is jekyll configuration
* index.md contains description and title for the blog main page.
* Any files matching "_posts/YYYY-MM-DD-TITLE.md" are considered posts
The Github Pages configuration only allows "/" or "/docs/" as the Jekyll
root directory: The clutter in docs/ is annoying but otherwise this is a
very easy setup.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
We don't want to error out from the whole verify_delegate() process if
e.g. a single key fails to load but we do want to provide details for
debugging in the unexpected failure cases.
This means "example_client -vv download file1.txt" fails like this:
Found trusted root in /home/jku/.local/share/python-tuf-client-example
INFO:tuf.api.metadata:Key
4e777de0d275f9d28588dd9a1606cc748e548f9e22b6795b7cb3f63f98035fcb failed
to verify sig: Failed to load PEM key bogus-key-content-here
INFO:tuf.api.metadata:Key 4e777de0d275f9d28588dd9a1606cc748e548f9e22b6795b7cb3f63f98035fcb failed to verify root
Failed to download target x: root was signed by 0/1 keys
Fixes#1875
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Metadata API defines a specification version it supports already,
and that one is updated to the actual specification version we
produce.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Change docs in preparation of close v1.0.0 release.
- Remove important notice about upcoming 1.0.0 release from README
- Reword 1.0.0-ANNOUNCEMENT.md to not sound outdated after release
Co-authored-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Add optional task to maintainer permission review reminder
checklist that suggests to also update the list of significant
contributors in README.md#acknowledgements.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Update README.md#Acknowledgements
- Reword to acknowledge maintainer contributions as well
- Remove names that are mentioned in maintainers document
- Remove duplicate Konstantin Andrianov
Santiago Torres-Arias, Sebastien Awwad, Trishank Kuppusamy,
Vladimir Diaz)
- Add new significant contributors
(Ivana Atanasova, Kairo de Araujo, Martin Vrachev)
Remove unmaintained AUTHORS.txt, which lists many individuals and
organisations that are/were not affiliated with 'python-tuf', but
other projects in the TUF ecosystem (Thandy, Notary, etc.) and
thus is not suited for this repository.
-> theupdateframework.io#38
Caveats:
- Significant contributors means top ~20 committers sorted by
commit count (`git shortlog -s`).
- The Acknowledgements section might miss significant contributors,
if they contributed by other means than git commits in this repo.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The big change is runtime update from nodejs 12 to nodejs 16: does not
seem to affect us.
Dependabot got confused so this update is done manually to v6.0.0
release commit:
https://github.com/actions/github-script/releases/tag/v6.0.0
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
- Add generic opening sentence that says what TUF actually does.
- Add link to #tuf channel on CNCF slack to contact section
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Configures tox to use a pinned requirements file for deterministic
CI builds, i.e. our CI shouldn't start failing because of an
incompatible upstream release of any of our testing tools:
NOTE: pinned tuf runtime requirements were already were already
used for test builds before (included via `-r
requirements-pinned.txt` in 'requirements-test.txt'). Now they are
explicitly listed in 'requirements-test-pinnned.txt'.
'requirements-test-pinnned.txt' was generated semi-automatically by
running pip-compile over 'requirements-test.txt' for each
supported/tested Python version (see snippet below) and manually
merging the resulting per-Python version requirements files into
one, adding environment markers as needed.
```
for ver in 3.7.12 3.8.12 3.9.9 3.10.0; do
pyenv virtualenv ${ver} tuf-env-${ver}
pyenv activate tuf-env-${ver}
python3 -m pip install -U pip pip-tools
pip-compile --no-header --annotation-style line \
-o requirements-test-pinned-${ver}.txt \
requirements-test.txt
pyenv deactivate
pyenv uninstall -f tuf-env-${ver}
done
```
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>