Root class

class Root(version=None, spec_version=None, expires=None, keys=None, roles=None, consistent_snapshot=True, unrecognized_fields=None)

A container for the signed part of root metadata.

Parameters listed below are also instance attributes.

  • version (Optional[int]) – Metadata version number. Default is 1.

  • spec_version (Optional[str]) – Supported TUF specification version. Default is the version currently supported by the library.

  • expires (Optional[datetime]) – Metadata expiry date. Default is current date and time.

  • keys (Optional[Dict[str, Key]]) – Dictionary of keyids to Keys. Defines the keys used in roles. Default is empty dictionary.

  • roles (Optional[Mapping[str, Role]]) – Dictionary of role names to Roles. Defines which keys are required to sign the metadata for a specific role. Default is a dictionary of top level roles without keys and threshold of 1.

  • consistent_snapshot (Optional[bool]) – True if repository supports consistent snapshots. Default is True.

  • unrecognized_fields (Optional[Dict[str, Any]]) – Dictionary of all attributes that are not managed by TUF Metadata API


ValueError – Invalid arguments.

add_key(key, role)

Adds new signing key for delegated role role.

  • key (Key) – Signing key to be added for role.

  • role (str) – Name of the role, for which key is added.


ValueError – If the argument order is wrong or if role doesn’t exist.

Return type


property expires: datetime

The metadata expiry date:

# Use 'datetime' module to e.g. expire in seven days from now
obj.expires = utcnow() + timedelta(days=7)

Checks metadata expiration against a reference time.


reference_time (Optional[datetime]) – Time to check expiration date against. A naive datetime in UTC expected. Default is current UTC date and time.


True if expiration time is less than the reference time.

Return type


revoke_key(keyid, role)

Revoke key from role and updates the key store.

  • keyid (str) – Identifier of the key to be removed for role.

  • role (str) – Name of the role, for which a signing key is removed.


ValueError – If role doesn’t exist or if role doesn’t include the key.

Return type