Merge branch 'master' into ethan.lowman/sorted-signatures

Author: ethan-lowman-dd

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+- package-ecosystem: "gomod"
+  directory: "/"
+  schedule:
+    interval: "daily"
+  open-pull-requests-limit: 10

.github/workflows/build.yml

@@ -4,7 +4,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.13.x, 1.14.x, 1.15.x]
+        go-version: [1.15.x, 1.16.x, 1.17.x]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:

.gitignore

@@ -1 +1,3 @@
 .DS_Store
+cmd/tuf/tuf
+cmd/tuf-client/tuf-client

README.md

@@ -9,7 +9,7 @@ a framework for securing software update systems.
 
 A TUF repository has the following directory layout:
 
-```
+```bash
 .
 ├── keys
 ├── repository
@@ -21,9 +21,9 @@ A TUF repository has the following directory layout:
 The directories contain the following files:
 
 - `keys/` - signing keys (optionally encrypted) with filename pattern `ROLE.json`
-- `repository/` - signed manifests
+- `repository/` - signed metadata files
 - `repository/targets/` - hashed target files
-- `staged/` - either signed, unsigned or partially signed manifests
+- `staged/` - either signed, unsigned or partially signed metadata files
 - `staged/targets/` - unhashed target files
 
 ## CLI
@@ -32,7 +32,7 @@ The directories contain the following files:
 
 ### Install
 
-```
+```bash
 go get github.com/theupdateframework/go-tuf/cmd/tuf
 ```
 
@@ -52,61 +52,76 @@ initialized to do so when generating keys.
 Prompts the user for an encryption passphrase (unless the
 `--insecure-plaintext` flag is set), then generates a new signing key and
 writes it to the relevant key file in the `keys` directory. It also stages
-the addition of the new key to the `root` manifest.
+the addition of the new key to the `root` metadata file. Alternatively, passphrases
+can be set via environment variables in the form of `TUF_{{ROLE}}_PASSPHRASE`
 
-#### `tuf set-threshold <role> <threshold>`
+#### `tuf revoke-key [--expires=<days>] <role> <id>`
 
-Sets the `role` threshold, the required number of keys for signing, to
-`threshold`.
+Revoke a signing key
+
+The key will be removed from the root metadata file, but the key will remain in the
+"keys" directory if present.
 
 #### `tuf add [<path>...]`
 
 Hashes files in the `staged/targets` directory at the given path(s), then
-updates and stages the `targets` manifest. Specifying no paths hashes all
+updates and stages the `targets` metadata file. Specifying no paths hashes all
 files in the `staged/targets` directory.
 
 #### `tuf remove [<path>...]`
 
-Stages the removal of files with the given path(s) from the `targets` manifest
+Stages the removal of files with the given path(s) from the `targets` metadata file
 (they get removed from the filesystem when the change is committed). Specifying
-no paths removes all files from the `targets` manifest.
+no paths removes all files from the `targets` metadata file.
 
 #### `tuf snapshot [--expires=<days>]`
 
-Expects a staged, fully signed `targets` manifest and stages an appropriate
-`snapshot` manifest. Optionally one can set number of days after which
-the snapshot manifest will expire.
+Expects a staged, fully signed `targets` metadata file and stages an appropriate
+`snapshot` metadata file. Optionally one can set number of days after which
+the `snapshot` metadata will expire.
 
 #### `tuf timestamp`
 
-Stages an appropriate `timestamp` manifest. If a `snapshot` manifest is staged,
+Stages an appropriate `timestamp` metadata file. If a `snapshot` metadata file is staged,
 it must be fully signed.
 
-#### `tuf sign ROLE`
+#### `tuf sign <metadata>`
 
-Signs the given role's staged manifest with all keys present in the `keys`
+Signs the given role's staged metadata file with all keys present in the `keys`
 directory for that role.
 
 #### `tuf commit`
 
 Verifies that all staged changes contain the correct information and are signed
 to the correct threshold, then moves the staged files into the `repository`
 directory. It also removes any target files which are not in the `targets`
-manifest.
+metadata file.
 
 #### `tuf regenerate [--consistent-snapshot=false]`
 
-Recreates the `targets` manifest based on the files in `repository/targets`.
+Note: Not supported yet
+
+Recreates the `targets` metadata file based on the files in `repository/targets`.
 
 #### `tuf clean`
 
-Removes all staged manifests and targets.
+Removes all staged metadata files and targets.
 
 #### `tuf root-keys`
 
 Outputs a JSON serialized array of root keys to STDOUT. The resulting JSON
 should be distributed to clients for performing initial updates.
 
+#### `tuf set-threshold <role> <threshold>`
+
+Sets the `role` threshold, the required number of keys for signing, to
+`threshold`.
+
+#### Usage of environment variables
+
+The `tuf` CLI supports receiving passphrases via environment variables in
+the form of `TUF_{{ROLE}}_PASSPHRASE`
+
 For a list of supported commands, run `tuf help` from the command line.
 
 ### Examples
@@ -122,11 +137,11 @@ staged changes and signing on each machine in turn before finally committing.
 
 Some key IDs are truncated for illustrative purposes.
 
-#### Create signed root manifest
+#### Create signed root metadata file
 
 Generate a root key on the root box:
 
-```
+```bash
 $ tuf gen-key root
 Enter root keys passphrase:
 Repeat root keys passphrase:
@@ -145,7 +160,7 @@ $ tree .
 Copy `staged/root.json` from the root box to the repo box and generate targets,
 snapshot and timestamp keys:
 
-```
+```bash
 $ tree .
 .
 ├── keys
@@ -183,7 +198,7 @@ $ tree .
 
 Copy `staged/root.json` from the repo box back to the root box and sign it:
 
-```
+```bash
 $ tree .
 .
 ├── keys
@@ -198,14 +213,14 @@ Enter root keys passphrase:
 ```
 
 The staged `root.json` can now be copied back to the repo box ready to be
-committed alongside other manifests.
+committed alongside other metadata files.
 
 #### Add a target file
 
-Assuming a staged, signed `root` manifest and the file to add exists at
+Assuming a staged, signed `root` metadata file and the file to add exists at
 `staged/targets/foo/bar/baz.txt`:
 
-```
+```bash
 $ tree .
 .
 ├── keys
@@ -285,7 +300,7 @@ $ tree .
 
 Assuming the file to remove is at `repository/targets/foo/bar/baz.txt`:
 
-```
+```bash
 $ tree .
 .
 ├── keys
@@ -366,9 +381,9 @@ $ tree .
 └── staged
 ```
 
-#### Regenerate manifests based on targets tree
+#### Regenerate metadata files based on targets tree (Note: Not supported yet)
 
-```
+```bash
 $ tree .
 .
 ├── keys
@@ -455,7 +470,7 @@ $ tree .
 
 #### Update timestamp.json
 
-```
+```bash
 $ tree .
 .
 ├── keys