tuftool is a Rust command-line utility for generating and signing TUF repositories.
Make sure you have the following dependencies present on your system before installing tuftool:
libssl-dev on Ubuntu or openssl-devel on Fedora.To install the latest version of tuftool:
sh
cargo install --force tuftool
By default, cargo installs binaries to ~/.cargo/bin, so you will need this in your path. See the cargo book for more about installing Rust binary crates.
The following is an example of how you can create and download a TUF repository using tuftool.
First, create a working directory:
sh
export WRK="${HOME}/tuftool-example"
mkdir -p "${WRK}"
For production you may want to use a service like AWS KMS, but for this example we will create keys locally as files:
```sh
mkdir "${WRK}/root"
export ROOT="${WRK}/root/root.json"
mkdir "${WRK}/keys"
tuftool root init "${ROOT}"
tuftool root expire "${ROOT}" 'in 6 weeks'
tuftool root set-threshold "${ROOT}" root 1 tuftool root set-threshold "${ROOT}" snapshot 1 tuftool root set-threshold "${ROOT}" targets 1 tuftool root set-threshold "${ROOT}" timestamp 1
tuftool root gen-rsa-key "${ROOT}" "${WRK}/keys/root.pem" --role root
tuftool root add-key "${ROOT}" -k "${WRK}/keys/root.pem" --role snapshot tuftool root add-key "${ROOT}" -k "${WRK}/keys/root.pem" --role targets tuftool root add-key "${ROOT}" -k "${WRK}/keys/root.pem" --role timestamp
tuftool root sign "${ROOT}" -k "${WRK}/keys/root.pem" ```
Now that we have a root.json file, we can create and sign a TUF repository.
```sh
mkdir -p "${WRK}/input"
echo "1" > "${WRK}/input/1.txt" echo "2" > "${WRK}/input/2.txt"
tuftool create \ --root "${ROOT}" \ --key "${WRK}/keys/root.pem" \ --add-targets "${WRK}/input" \ --targets-expires 'in 3 weeks' \ --targets-version 1 \ --snapshot-expires 'in 3 weeks' \ --snapshot-version 1 \ --timestamp-expires 'in 1 week' \ --timestamp-version 1 \ --outdir "${WRK}/tuf-repo"
ls "${WRK}/tuf-repo/metadata"
ls "${WRK}/tuf-repo/targets"
echo "1.1" > "${WRK}/input/1.txt"
tuftool update \ --root "${ROOT}" \ --key "${WRK}/keys/root.pem" \ --add-targets "${WRK}/input" \ --targets-expires 'in 3 weeks' \ --targets-version 2 \ --snapshot-expires 'in 3 weeks' \ --snapshot-version 2 \ --timestamp-expires 'in 1 week' \ --timestamp-version 2 \ --outdir "${WRK}/tuf-repo" \ --metadata-url file:///$WRK/tuf-repo/metadata ```
Now that we have created TUF repo, we can inspect it using download command. Download command is usually used to download a remote repo using HTTP/S url, but for this example we will use a file based url to download from local repo.
```sh
tuftool download \ --root "${ROOT}" \ -t "file://${WRK}/tuf-repo/targets" \ -m "file://${WRK}/tuf-repo/metadata" \ "${WRK}/tuf-downlaod" ```
tuftool respects the HTTPS_PROXY and NO_PROXY environment variables.
Unit tests are run in the usual manner: cargo test.
Integration tests require working AWS credentials and are disabled by default behind a feature named integ.
To run all tests, including integration tests: cargo test --features 'integ' or AWS_PROFILE=test-profile cargo test --features 'integ' with specific profile.