Metadata API

The low-level Metadata API.

The low-level Metadata API in tuf.api.metadata module contains:

  • Safe de/serialization of metadata to and from files.

  • Access to and modification of signed metadata content.

  • Signing metadata and verifying signatures.

Metadata API implements functionality at the metadata file level, it does not provide TUF repository or client functionality on its own (but can be used to implement them).

The API design is based on the file format defined in the TUF specification and the object attributes generally follow the JSON format used in the specification.

The above principle means that a Metadata object represents a single metadata file, and has a signed attribute that is an instance of one of the four top level signed classes (Root, Timestamp, Snapshot and Targets). To make Python type annotations useful Metadata can be type constrained: e.g. the signed attribute of Metadata[Root] is known to be Root.

Currently Metadata API supports JSON as the file format.

A basic example of repository implementation using the Metadata is available in examples/repo_example.