Targets class

class Targets(version=None, spec_version=None, expires=None, targets=None, delegations=None, unrecognized_fields=None)

A container for the signed part of targets metadata.

Targets contains verifying information about target files and also delegates responsibility to other Targets roles.

All parameters named below are not just constructor arguments but also instance attributes.

Parameters:

  • version (int | None) – Metadata version number. Default is 1.

  • spec_version (str | None) – Supported TUF specification version. Default is the version currently supported by the library.

  • expires (datetime | None) – Metadata expiry date. Default is current date and time.

  • targets (Dict[str, TargetFile] | None) – Dictionary of target filenames to TargetFiles. Default is an empty dictionary.

  • delegations (Delegations | None) – Defines how this Targets delegates responsibility to other Targets Metadata files. Default is None.

  • unrecognized_fields (Dict[str, Any] | None) – Dictionary of all attributes that are not managed by TUF Metadata API

Raises:

ValueError – Invalid arguments.

add_key(key, role=None)

Add new signing key for delegated role role.

If succinct_roles is used then the role argument is not required.

Parameters:

  • key (Key) – Signing key to be added for role.

  • role (str | None) – Name of the role, for which key is added.

Raises:

ValueError – If the argument order is wrong or if there are no delegated roles or if role is not delegated by this Target.

Return type:

None

property expires: datetime

Get the metadata expiry date.

get_delegated_role(delegated_role)

Return the role object for the given delegated role.

Raises ValueError if delegated_role is not actually delegated.

Parameters:

delegated_role (str) –

Return type:

Role

get_key(keyid)

Return the key object for the given keyid.

Raises ValueError if key is not found.

Parameters:

keyid (str) –

Return type:

Key

get_verification_result(delegated_role, payload, signatures)

Return signature threshold verification result for delegated role.

NOTE: Unlike verify_delegate() this method does not raise, if the role metadata is not fully verified.

Parameters:

  • delegated_role (str) – Name of the delegated role to verify

  • payload (bytes) – Signed payload bytes for the delegated role

  • signatures (Dict[str, Signature]) – Signatures over payload bytes

Raises:

ValueError – no delegation was found for delegated_role.

Return type:

VerificationResult

is_expired(reference_time=None)

Check metadata expiration against a reference time.

Parameters:

reference_time (datetime | None) – Time to check expiration date against. A naive datetime in UTC expected. Default is current UTC date and time.

Returns:

True if expiration time is less than the reference time.

Return type:

bool

revoke_key(keyid, role=None)

Revokes key from delegated role role and updates the delegations key store.

If succinct_roles is used then the role argument is not required.

Parameters:

  • keyid (str) – Identifier of the key to be removed for role.

  • role (str | None) – Name of the role, for which a signing key is removed.

Raises:

ValueError – If there are no delegated roles or if role is not delegated by this Target or if key is not used by role or if key with id keyid is not used by succinct roles.

Return type:

None

verify_delegate(delegated_role, payload, signatures)

Verify signature threshold for delegated role.

Verify that there are enough valid signatures over payload, to meet the threshold of keys for delegated_role, as defined by the delegator (self).

Parameters:

  • delegated_role (str) – Name of the delegated role to verify

  • payload (bytes) – Signed payload bytes for the delegated role

  • signatures (Dict[str, Signature]) – Signatures over payload bytes

Raises:

  • UnsignedMetadataErrordelegated_role was not signed with required threshold of keys for role_name.

  • ValueError – no delegation was found for delegated_role.

Return type:

None