Installation ------------ *pip* is the recommended installer. The project can be installed either locally or from the Python Package Index. All `TUF releases `_ are cryptographically signed, with GPG signatures available on both GitHub and `PyPI `_. PGP key information for our maintainers is available on our `website `_, on major keyservers, and on the `maintainers page `_. The latest release and its packaging information, such as who signed the release and their PGP fingerprint, can also be found on our 1-year `roadmap `_. Assuming you trust the maintainer's PGP key, the detached ASC signature can be downloaded and verified. For example: :: $ gpg --verify securesystemslib-0.10.8.tar.gz.asc gpg: assuming signed data in 'securesystemslib-0.10.8.tar.gz' gpg: Signature made Wed Nov 8 15:21:47 2017 EST gpg: using RSA key 3E87BB339378BC7B3DD0E5B25DEE9B97B0E2289A gpg: Good signature from "Vladimir Diaz (Vlad) " [ultimate] Installation instructions: :: pip - installing and managing Python packages (recommended) Installing from Python Package Index (https://pypi.python.org/pypi). Note: Please use "pip install --no-use-wheel tuf" if your version of pip <= 1.5.6 $ pip install tuf Installing from local source archive. $ pip install Or from the root directory of the unpacked archive. $ pip install .