Implementation of archival authentication
Project description
TAF
TAF (The Archive Framework) is an implementation of archival authentication. In other words, TAF ensures that a git repository can be securely cloned/updated and authenticated. In our case, a git repository is a collection of thousands of XML documents and represents a Library of official legal material, but TAF can be used to secure any git repository, regardless of its content.
A git repository can be compromised in a number of ways:
- an attacker could hack a user's account on a code hosting platform, like GitHub or GitLab,
- an attacker could hack the hosting platform,
- an attacker could gain access to a developer's personal computer.
This attacker could then:
- upload a new GPG key to GitHub,
- push new commits to any repository,
- add another authorized user with write access,
- unprotected the master branch of any of the repositories and force push to it.
TAF's goal is not to prevent any of the attacks listed above from happening, but to detect that an attack took place and cancel an update if that is the case. So, TAF should be used instead of directly calling git pull
and git clone
.
TAF's implementation strongly relies on The Update Framework (TUF), which helps developers maintain the security of a software update system and provides a flexible framework and specification that developers can adopt into any software update system.
Further reading:
Installation Steps
From PyPI
pip install taf
From source:
pip install -e .
Install extra dependencies when using Yubikey:
pip install taf[yubikey]
Add bash completion:
- copy
taf-complete.sh
to user's directory - add
source ./taf-complete.sh
to~/.bash_profile
or~/.bashrc
- source
~/.bash_profile
Development Setup
We are using pre-commit to run black code formatter, flake8 and bandit code quality checks.
pip install -e .[dev]
pip install -e .[test]
pre-commit install # registers git pre-commit hook
pre-commit run --all-files # runs code formatting and quality checks for all files
NOTE: For Windows users: Open settings.json and replace paths.
Running Tests
To run tests with mocked Yubikey:
pytest
To run tests with real Yubikey:
- Insert test Yubikey
- Run
taf setup_test_key
WARNING: This command will import targets private key to signature slot of your Yubikey, as well as new self-signed x509 certificate! - Run
REAL_YK=True pytest
orset REAL_YK=True pytest
depending on platform.
Platform-specific Wheels
- Open https://dev.azure.com/openlawlibrary/TAF/_build
- Click on latest build
- Open Summary tab
- Under Build artifacts published, click on *wheels to download zip
More info in devops document.
Building Wheels on Ubuntu 16.04 and 18.04
Binary wheels exists only for macOS, windows-32bit and windows-64bit platforms for python 3.10!
- Install dependencies
sudo add-apt-repository ppa:jonathonf/python-3.10
sudo apt-get update
sudo apt-get install python3.10
sudo apt-get install python3.10-venv
sudo apt-get install python3.10-dev
sudo apt-get install swig
sudo apt-get install libpcsclite-dev
sudo apt-get install libssl-dev
sudo apt-get install libykpers-1-dev
- Create virtual environment
python3.6 -m venv env
pip install --upgrade pip
pip install wheel
pip install taf
- Test CLI
taf
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for taf-0.22.4-cp310-cp310-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ea38d915f3214efe9c258a484a3ea3ba9b0115cdf3df5c1a198f1f88e89699ac |
|
MD5 | be8c01752247fe2502476ee7909b9bfb |
|
BLAKE2b-256 | 9398663cdf0305a032609f24fdca175c87b6eb961c5d4ef958c651dc5de7b784 |
Hashes for taf-0.22.4-cp310-cp310-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 85bb50718dcba585f7ed2ef62aa5d2da43c8070fef100f04af29b24eaffbe45f |
|
MD5 | 591926031b764ac251f6f217d8680c7f |
|
BLAKE2b-256 | f0e08e1fcbe5523fe2176359e41f2f3ba1f728c8835590a0faa308ee235f8584 |
Hashes for taf-0.22.4-cp310-cp310-macosx_11_0_x86_64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 232f40ef8b594e9558d25cff5ee20db93f2997eeebcf4ea49bdaf2b615881dcd |
|
MD5 | e432a280d5f82c03dc1f5374276324e0 |
|
BLAKE2b-256 | a85b956b20f354cb314c9ceb67c633a1079564e4def6b7bb199b05bc6eae2d67 |
Hashes for taf-0.22.4-cp39-cp39-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5aaffe54bcd2f25090ca58e11c3d6238b243a59e90910b9e32ceab5b6832fb80 |
|
MD5 | 19c2ff2a772669ebee867860b019efc4 |
|
BLAKE2b-256 | b89a41c1b84834f4a253ea2e62f8f129efeddc61f0d0fb158ceb40bf75cbbf55 |
Hashes for taf-0.22.4-cp39-cp39-macosx_11_0_x86_64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d021ec6eb70a056a5c544997b401e48611458e6a8acf1c0ed371c5740c0bbfdb |
|
MD5 | 41a82d93e19abd6fafc8a2a50cd4bc6c |
|
BLAKE2b-256 | ae845d27ab91506a818b4b8106b252171a6915244ff8a508a31ef6ef376a5cc0 |
Hashes for taf-0.22.4-cp38-cp38-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e60db753107cca778930dadc5e510476ffd40e5b788cdd561c233c520be24be8 |
|
MD5 | 4dd34675fa36d48282dd2e6c553141ca |
|
BLAKE2b-256 | 8e87c39e508ee3d23d88dd5fd8ee022797fa71de405f9ae8e8f1e6a81f862941 |
Hashes for taf-0.22.4-cp38-cp38-macosx_11_0_x86_64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 40acd73a6de1999accedf7cb1aacfee1c4bd039256d395d6713d0d9b0650c755 |
|
MD5 | dba20b88b9de08f95c1489d0dc813f39 |
|
BLAKE2b-256 | 4fa2c1afc2584221eb2213ee114fd75d276fddb0eb13e4b695cdf4fe6c77ddca |
Hashes for taf-0.22.4-cp37-cp37m-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d52d1797e36f032fcaff3a5c9dc4c6d2b4324c66aed4d941bf72d88b5c60a604 |
|
MD5 | 426006813c798ed7914eb5eae805b39c |
|
BLAKE2b-256 | 125d6d85eb374bc69e9ea39fb9cc1136eb70d8f1cb4150f6f4e8e0261e47f4c9 |
Hashes for taf-0.22.4-cp37-cp37m-macosx_11_0_x86_64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4e74b375ee5383985380bdd745e50d2a242ac1b45df6a2925b98a838ce99696a |
|
MD5 | 2e70c3fb1ce47d1fb4e58d522fb050c2 |
|
BLAKE2b-256 | 416f43dbdc9bd4a9b4660721f0d86675824fcf858821e39ee7fd0256a1f899e4 |