Instructions for contributors

Contribute to python-tuf by submitting pull requests against the “develop” branch of this repository. Detailed instructions are available in our development guidelines. All submitted code should follow our style guidelines and must be unit tested.


Contributors must indicate acceptance of the Developer Certificate of Origin by appending a Signed-off-by: Your Name <> to each git commit message (see git commit –signoff).


With tox the whole test suite can be executed in a separate virtual environment for each supported Python version available on the system. tuf and its dependencies are installed automatically for each tox run.

$ tox

Below, you will see more details about each step managed by tox, in case you need debug/run outside tox.

Unit tests

More specifically, the Update Framework’s test suite can be executed by invoking the test aggregation script inside the tests subdirectory. tuf and its dependencies must already be installed.

$ cd tests/
$ python3

Individual tests can also be executed. Optional -v flags can be added to increase log level up to DEBUG (-vvvv).

$ cd tests/
$ python3 -v


To run the tests and measure their code coverage, the aggregation script can be invoked with the coverage tool (requires installation of coverage, e.g. via PyPI).

$ cd tests/
$ coverage run && coverage report


The linter in CI/CD will check that new TUF code is formatted with ruff. Auto-formatting can be done on the command line:

$ tox -e fix