Skip to main content

Implementation of archival authentication

Project description

TAF (The Archive Framework)

TAF is a framework that aims to provide archival authentication and ensure that Git repositories can be securely cloned/updated. TAF's implementation strongly relies on The Update Framework (TUF), which helps developers maintain the security of a software update system. It provides a flexible framework and specification that developers can integrate into any software update system. TAF integrates Git with TUF:

  • TUF targets were modified to authenticate Git commits instead of individual files. This reduces the metadata size and simplifies authentication.
  • The TUF metadata repository storage utilizes Git. That means TUF metadata files are stored in a Git repository, which is referred to as an authentication repository.

When a TAF authentication repository is cloned, all target repositories are also cloned, and TUF validation is performed against every commit since the repository's inception. When a TAF repository is updated, data is fetched from upstream and each commit is authenticated. A TAF clone/update differs from a standard Git clone/fetch in that remote commits aren't added to the local Git repositories until they've been fully authenticated locally. TAF can be used to secure any git repository, regardless of its content.

Threats

A git repository can be compromised in several ways:

  • An attacker might hack a user's account on a code hosting platform, like GitHub or GitLab.
  • An attacker might compromise the hosting platform itself.
  • An attacker might gain access to a developer's personal computer.

Such an attacker could then:

  • Upload a new GPG key to GitHub.
  • Push new commits to any repository.
  • Add another authorized user with write access.
  • Unprotect the master branch of any repository and force-push to it.

TAF's primary objective is not to prevent the attacks listed above but rather to detect when an attack has occurred and halt an update if necessary. Thus, TAF should be used instead of directly calling git pull and git clone.

Further reading

  1. UELMA whitepaper
  2. TAF implementation and integration with TUF

Installation Steps

From PyPI

pip install taf

From source:

pip install -e .

Install extra dependencies when using Yubikey:

pip install taf[yubikey]

Add bash completion:

  1. copy taf-complete.sh to user's directory
  2. add source ./taf-complete.sh to ~/.bash_profile or ~/.bashrc
  3. source ~/.bash_profile

Development Setup

We are using pre-commit to run black code formatter, flake8 and bandit code quality checks, as well as Mypy static type checker.

pip install -e .[dev]
pip install -e .[test]

pre-commit install # registers git pre-commit hook

pre-commit run --all-files # runs code formatting and quality checks for all files

NOTE: For Windows users: Open settings.json and replace paths.

Running Tests

To run tests with mocked Yubikey:

pytest

To run tests with real Yubikey:

  1. Insert test Yubikey
  2. Run taf setup_test_key WARNING: This command will import targets private key to signature slot of your Yubikey, as well as new self-signed x509 certificate!
  3. Run REAL_YK=True pytest or set REAL_YK=True pytest depending on platform.

Installing Wheels on Windows and MacOS

The newer versions of TAF do not require additional setup, and there are no platform-specific wheels needed. However, older versions required certain platform-specific DLLs, which the CI would copy to taf/libs before building a wheel. Therefore, it's important to install the appropriate platform-specific wheel if you're using an older version.

Installing Wheels on Ubuntu

  • Install dependencies
sudo add-apt-repository ppa:jonathonf/python-3.10
sudo apt-get update
sudo apt-get install python3.10
sudo apt-get install python3.10-venv
sudo apt-get install python3.10-dev
sudo apt-get install swig
sudo apt-get install libpcsclite-dev
sudo apt-get install libssl-dev
sudo apt-get install libykpers-1-dev
  • Create virtual environment
python3.10 -m venv env
pip install --upgrade pip
pip install wheel
pip install taf
  • Test CLI
taf

Acknowledgements

This project was made possible in part by the Institute of Museum and Library Services (LG-246285-OLS-20)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

taf-0.32.3.tar.gz (146.6 kB view details)

Uploaded Source

Built Distribution

taf-0.32.3-py3-none-any.whl (238.1 kB view details)

Uploaded Python 3

File details

Details for the file taf-0.32.3.tar.gz.

File metadata

  • Download URL: taf-0.32.3.tar.gz
  • Upload date:
  • Size: 146.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.11.2 readme-renderer/43.0 requests/2.32.3 requests-toolbelt/1.0.0 urllib3/2.2.3 tqdm/4.67.0 importlib-metadata/8.5.0 keyring/23.13.1 rfc3986/2.0.0 colorama/0.4.6 CPython/3.8.18

File hashes

Hashes for taf-0.32.3.tar.gz
Algorithm Hash digest
SHA256 c0c355cd13b8edba6f696ee7098552c0b55025ddb09877fcc7f66a93bd8c0c12
MD5 4b826a48899af5dd60c830c0ef45b82f
BLAKE2b-256 7142294fddcd4b626dec6a96b4cee0bd52f1843290d669eba7e76737b540d4b2

See more details on using hashes here.

File details

Details for the file taf-0.32.3-py3-none-any.whl.

File metadata

  • Download URL: taf-0.32.3-py3-none-any.whl
  • Upload date:
  • Size: 238.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.11.2 readme-renderer/43.0 requests/2.32.3 requests-toolbelt/1.0.0 urllib3/2.2.3 tqdm/4.67.0 importlib-metadata/8.5.0 keyring/23.13.1 rfc3986/2.0.0 colorama/0.4.6 CPython/3.8.18

File hashes

Hashes for taf-0.32.3-py3-none-any.whl
Algorithm Hash digest
SHA256 bd9f757dc5c6c94083e0f2747c76330b68b55d865665f0caf1bac74e5b44af31
MD5 4d66bfb491a1cacb7def9c5b174b3374
BLAKE2b-256 9bae1bb03732a1aa6e99e43e50a7ebb942eab4dc234518582bd0a2abb4b90aee

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page