TUF client CLI written in Go based on the rdimitrov/go-tuf-metadata library.
tuf-client is a command-line interface (CLI) tool designed to interact with repositories following The Update Framework (TUF) specifications. Built using Go and based on the rdimitrov/go-tuf-metadata library, it provides a robust solution for securely managing software updates and verifying metadata integrity.
Key Features:
Initialization: Use tuf-client init to set up the client by providing trusted root metadata or downloading it directly from a specified repository.
Target Retrieval: The tuf-client get command allows users to download target files securely, ensuring all downloaded content is verified against signed metadata.
Environment Management: The tuf-client reset command provides a way to clear local data, helping maintain the integrity of future operations.
Audience & Benefit:
Ideal for developers and DevOps engineers working on secure software updates or supply chain security, tuf-client ensures that all interactions with TUF repositories are secure and compliant. It simplifies the process of verifying metadata and downloading files, reducing the risk of tampered content in critical infrastructure. By leveraging this tool, users can enhance their system's resilience against malicious attacks while adhering to best practices for software supply chain security.
Installable via winget, tuf-client offers a straightforward way to integrate TUF compliance into your workflow without compromising on security or ease of use.
README
tuf-client CLI
Notice
This repository will be deprecated in favour of https://github.com/kairoaraujo/tufie.
Tufie has the same functionality but also expands it by supporting config files, context of repository and many more.
Installation
Download the latest release from release page and install it.
For homebrew users, you can install it via:
brew install rdimitrov/tap/tuf-client
Overview
tuf-client is a CLI tool that implements the client workflow specified by The Update Framework (TUF) specification.
The tuf-client can be used to query for available targets and to download them in a secure manner.
Signed metadata verifies all downloaded files.
The CLI provides three commands:
tuf-client init - Initialize the client with trusted root.json metadata
tuf-client get - Download a target file
tuf-client reset - Resets the local environment. Warning: this deletes both the metadata and download folders and all of their contents
All commands except reset require the URL of the TUF repository passed as a flag via --url/u
Run tuf-client help from the command line to get more detailed usage information.
# Initialize by providing a root.json
#
# Usage: tuf-client init --url -f root.json
#
$ tuf-client init --url https://jku.github.io/tuf-demo/metadata -f root.json
# Initialize without providing a root.json
#
# Usage: tuf-client init --url
#
$ tuf-client init --url https://jku.github.io/tuf-demo/metadata
# Get a target
#
# Usage: tuf-client get --url
#
$ tuf-client get --url https://jku.github.io/tuf-demo/metadata demo/succinctly-delegated-5.txt
# Get a target by providing a URL of where target files are located
#
# Usage: tuf-client get --url -t
#
# Use --nonprefixed for non-prefixed target files
#
$ tuf-client get --url https://jku.github.io/tuf-demo/metadata --turl https://jku.github.io/tuf-demo/targets --nonprefixed demo/succinctly-delegated-5.txt
# Reset your local environment
$ tuf-client reset
SLSA Level 3 Provenance
The CLI provides a SLSA Level 3 provenance by generating a non-forgeable attestation to the artifacts' digests
using the identity of the GitHub workflow.