go-tuf
go-tuf copied to clipboard
theupdateframework
Go implementation of The Update Framework (TUF)
One of the tests in file_store_tests.go:TestCreates is disabled only for Windows hosts: https://github.com/theupdateframework/go-tuf/blob/3890c1e7ace43d67622428187a85ba486c2528e5/client/file_store_test.go#L26-L33 This test was introduced in PR #397 and disabled for Windows because we could not root cause...
The key interface does not support error handling on the following points: `MarshalPublicKey()`, `Public()`, `PublicData()` https://github.com/theupdateframework/go-tuf/blob/ebbc6b8d12d861335a3fc6e7fd8c69a53acaa1e6/pkg/keys/keys.go#L33 In case someone creates a key without unmarshalling first, we should handle these errors.
**Description** [AddOrUpdateSignature](https://github.com/theupdateframework/go-tuf/blob/61872a3ac6e6a475771c23bf1592a00c1773b3e7/repo.go#L793) does not handle adding signatures for keys that were revoked. This case needs to be handled so that the previous root keys can achieve a threshold number of...
`revoke-key` revokes a key, but leaves it in the `keys/` directory. It would be nice to have a separate command that removed the key, something like `tuf remove-key role keyid`.
https://github.com/theupdateframework/go-tuf/pull/395#pullrequestreview-1117228873 We should move to a more maintainer, but still lightweight CLI managing library. We want it to: * Be able to configure logging help messages and usage * Be...
`repo.RemoveTargetsWithExpires` will remove a target from ALL delegated target metadata: there is no way to specify a certain targets or delegation role. This means that if a delegation had signed...
The only way to search for a target in a delegation is by knowing for the target name ahead of time through `client.GetTarget(name string)`. If I want to perform a...
This is going to be multiple PR's for fuzzing. After this PR is merged, the goal is to get it integrated with https://github.com/google/oss-fuzz/ Release Notes: Included go 1.18 fuzzing. **Types...
It's not likely to be a large metadata file, but should we watch out for it? _Originally posted by @trishankatdatadog in https://github.com/theupdateframework/go-tuf/pull/357#discussion_r949673578_ See here: https://github.com/theupdateframework/go-tuf/blob/4febe4c81aa17b39a87c1bab1c6592b347ff4a56/pkg/keys/keys.go#L57 `SignMessge` takes in an arbitrary...
The only breaking changes are in `add_key` and `remove_key` (renamed to `revoke_key`), neither of which appear in the go-tuf repo. I think it's ok to upgrade. Probably better to do...
Metadata
Owner
Metadata
Go implementation of The Update Framework (TUF)