Root class
- class Root(version=None, spec_version=None, expires=None, keys=None, roles=None, consistent_snapshot=True, unrecognized_fields=None)
A container for the signed part of root metadata.
Parameters listed below are also instance attributes.
- Parameters:
version (int | None) – Metadata version number. Default is 1.
spec_version (str | None) – Supported TUF specification version. Default is the version currently supported by the library.
expires (datetime | None) – Metadata expiry date. Default is current date and time.
keys (dict[str, Key] | None) – Dictionary of keyids to Keys. Defines the keys used in
roles
. Default is empty dictionary.roles (dict[str, Role] | None) – Dictionary of role names to Roles. Defines which keys are required to sign the metadata for a specific role. Default is a dictionary of top level roles without keys and threshold of 1.
consistent_snapshot (bool | None) –
True
if repository supports consistentTrue. (snapshots. Default is)
unrecognized_fields (dict[str, Any] | None) – Dictionary of all attributes that are not managed by TUF Metadata API
- Raises:
ValueError – Invalid arguments.
- add_key(key, role)
Add new signing key for delegated role
role
.- Parameters:
key (Key) – Signing key to be added for
role
.role (str) – Name of the role, for which
key
is added.
- Raises:
ValueError – If the argument order is wrong or if
role
doesn’t exist.- Return type:
None
- property expires: datetime
Get the metadata expiry date.
- get_delegated_role(delegated_role)
Return the role object for the given delegated role.
Raises ValueError if delegated_role is not actually delegated.
- Parameters:
delegated_role (str)
- Return type:
- get_key(keyid)
Return the key object for the given keyid.
Raises ValueError if key is not found.
- Parameters:
keyid (str)
- Return type:
- get_root_verification_result(previous, payload, signatures)
Return signature threshold verification result for two root roles.
Verify root metadata with two roles (self and optionally previous).
If the repository has no root role versions yet, previous can be left None. In all other cases, previous must be the previous version of the Root.
NOTE: Unlike verify_delegate() this method does not raise, if the root metadata is not fully verified.
- Parameters:
previous (Root | None) – The previous Root to verify payload with, or None
payload (bytes) – Signed payload bytes for root
signatures (dict[str, Signature]) – Signatures over payload bytes
- Raises:
ValueError – no delegation was found for
root
or given Root versions are not sequential.- Return type:
RootVerificationResult
- get_verification_result(delegated_role, payload, signatures)
Return signature threshold verification result for delegated role.
NOTE: Unlike verify_delegate() this method does not raise, if the role metadata is not fully verified.
- Parameters:
delegated_role (str) – Name of the delegated role to verify
payload (bytes) – Signed payload bytes for the delegated role
signatures (dict[str, Signature]) – Signatures over payload bytes
- Raises:
ValueError – no delegation was found for
delegated_role
.- Return type:
VerificationResult
- is_expired(reference_time=None)
Check metadata expiration against a reference time.
- Parameters:
reference_time (datetime | None) – Time to check expiration date against. A naive datetime in UTC expected. Default is current UTC date and time.
- Returns:
True
if expiration time is less than the reference time.- Return type:
bool
- revoke_key(keyid, role)
Revoke key from
role
and updates the key store.- Parameters:
keyid (str) – Identifier of the key to be removed for
role
.role (str) – Name of the role, for which a signing key is removed.
- Raises:
ValueError – If
role
doesn’t exist or ifrole
doesn’t include the key.- Return type:
None
- verify_delegate(delegated_role, payload, signatures)
Verify signature threshold for delegated role.
Verify that there are enough valid
signatures
overpayload
, to meet the threshold of keys fordelegated_role
, as defined by the delegator (self
).- Parameters:
delegated_role (str) – Name of the delegated role to verify
payload (bytes) – Signed payload bytes for the delegated role
signatures (dict[str, Signature]) – Signatures over payload bytes
- Raises:
UnsignedMetadataError –
delegated_role
was not signed with required threshold of keys forrole_name
.ValueError – no delegation was found for
delegated_role
.
- Return type:
None