All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Implement removal and rotation of keys [(561)]
Transition to the newest version of TUF [(561)]
- Run validation with --no-deps when pushing (579)
- Do not update last validated commit if pushing to a branch other than the default branch (577)
- Fix determining from which commit the update should start if the auth repo is in front of all target repos (577)
- Add tests for
get_last_remote_commit
andreset_to_commit
(573) - Remove unused optional parameter from _yk_piv_ctrl (572)
- Implement full partial update. Store last validated commit per repo ([559)])
- Change log level for
repositoriesdb
messages (569)
0.32.3 - 11/22/2024
- Fix
get_last_remote_commit
- add missing value for parameter (566)
0.32.2 - 11/20/2024
- Make url optional for
get_last_remote_commit
(564)
0.32.1 - 11/01/2024
- Fix two git methods where
GitError
was not being instantiated correctly (562) - Fix determination of auth commits to be validated when starting the update from the beginning (562)
0.32.0 - 10/23/2024
- Fix specification of pygit2 version depending on the Python version (558)
- Fix validation and listing targets of an auth repo that does not contain
mirrors.json
(558)
0.31.2 - 10/16/2024
- Added a function for exporting
keys-description.json
(550) - Added support for cloning a new dependency when adding it to
dependencies.json
if it is not on disk (550) - Clean up authentication repository if an error occurs while running a cli command (550)
- Return a non-zero exit code with
sys.exit
when updater fails (550) - Rework addition of a new role and target repositories. Use
custom.json
files (550)
- Minor
conf init
and detection of the authentication repository fixes (550) - Replace
info
logging calls withnotice
in API functions (550) - Use
mirrors.json
urls when cloning dependencies (551)
0.31.1 - 10/03/2024
- Fix
load_repositories
following a rework needed to support parallelization (547) - Fix
clone_from_disk
(547) - Fix pre-push hook (547)
0.31.0 - 09/28/2024
- Added lxml to taf pyinstaller to execute arbitrary python scripts (535)
- Added support for execution of executable files within the scripts directories (529)
- Added yubikey_present parameter to keys description (Can be specified when generating keys) (508)
- Removed 2048-bit key restriction 494
- Allow for the displaying of varied levels of log and debug information based on the verbosity level (493)
- Added new tests to test out of sync repositories and manual updates (488, 504)
- Update when auth repo's top commit is behind last validated commit 490
- Added lazy loading to CLI 481
- Testing repositories with dependencies (479, 487)
- Hid plaintext when users are prompted to insert YubiKey and press ENTER (473)
- Added functionality for parallel execution of child repo during clone and update for performance enhancement (472)
- New flag --force allowing forced updates (471)
- Improved usability (TAF finds the repo if current directory has no repo, create a .taf directory to manage keys) (466)
- Added git hook check for updater (460)
- New flag --no-deps allowing users to only update the current repository and not update dependent repositories from dependencies.json (455, 463)
- New flag --no-targets allowing users to skip target repository validation when validating the authentication repo (455)
- New flag --no-upstream allowing users to skip upstream comparisons (455, 463)
- Addition of logic to tuples (steps) and the run function in updater_pipeline.py to determine which steps, if any, will be skipped based on the usage of the --no-targets flag (455)
- Added --bare tags for repository cloning and updating (459)
- Added workflow to build standalone executable of TAF (447)
- If in detached head state or an older branch, do not automatically checkout the newest one without force (543)
- Move validation of the last validated commit to the pipeline from the update handler (543)
- Default verbosity to 0 (NOTICE) level; add notice level update outcome logging (538)
- Raise a more descriptive error if
pygit2
repository cannot be instantiated (485, 489) - Enhanced commit_and_push for better error logging and update the last validated commit (469)
- Generate public key from private key if .pub file is missing (462)
- Port release workflow from Azure Pipelines to GitHub Actions (458)
- Remove platform-specific builds, do not package DLLs which are no longer necessary (458)
- Handle invalid last validated commit (543)
- Fixes to executing taf handler scripts from a pyinstaller executable (535)
- Fix
persisent
andtransient
NoneType error when running taf handlers (535) - Fix update status when a target repo was updated and the auth repo was not (532)
- Fix merge-commit which wasn't updating the remote-tracking branch (532)
- Fix removal of additional local commits (532)
- Fix top-level authentication repository update to correctly update child auth repos (528)
- Fix setup role when specifying public keys in keys-description (511)
check_if_repositories_clean
error now returns a list of repositories which aren't clean, instead of a single repository (525)
- Use git remote show if symbolic-ref fails for default_branch (457)
- Add a command for adding delegated paths to a role (391)
- Check if metadata files at revision match those downloaded by TUF updater (389)
-
Checking git repos existence and changing imprecise and undescriptive error messages accordingly
-
Fix
clone_or_pull
(402)
- Move
yubikey_utils
module to include it in wheel (516)
0.30.2 - 08/20/2024
-
New flag --no-deps allowing users to only update the current repository and not update dependent repositories from dependencies.json (455)
-
New flag --no-targets allowing users to skip target repository validation when validating the authentication repo (455)
-
New flag --no-upstream allowing users to skip upstream comparisons (455)
-
Addition of logic to tuples (steps) and the run function in updater_pipeline.py to determine which steps, if any, will be skipped based on the usage of the --no-targets flag (455)
0.30.1 - 07/23/2024
- Add info.json data loading (476)
- Build: use correct
sys.version_info
comparison when installingpygit2
(470) - Validate branch can be modified with check branch length function (470)
0.30.0 - 06/12/2024
- Support for Yubikey Manager 5.1.x (444)
- Support for Python 3.11 and 3.12 (440)
- Fix add_target_repo when signing role is the top-level targets role (431)
- New git hook that validates repo before push (423)
- New function taf repo status that prints the state of whole library (422)
- New function taf roles list that lists all roles in an authentication repository (421)
- Clone target repositories to temp (412, 418)
- Add architecture overview documentation (405)
- Add a command for adding delegated paths to a role (391)
- Check if metadata files at revision match those downloaded by TUF updater (389)
- Updater testing framework rework 453
- Update pytest version 453
- Drop support for Python 3.7 453
- Dropped support for Yubikey Manager 4.x 444
- Only load the latest mirrors.jon ([441])
- Fix generation of keys when they should be printed to the command line (435)
- Made Updater faster through parallelization (434)
- Reimplemented get_file_details function to not rely on old securesystemslib functions (420)
- Check if repositories are clean before running the updater (416)
- Only show merging commits messages if actually merging commits. Rework logic for checking if a commits should be merged (404, 415)
- Fix YubiKey setup (445)
- Fixes repeating error messages in taf repo create and manual entry of keys-description (432)
- When checking if branch is synced, find first remote that works, instead of only trying the last remote url (419)
- Disable check if metadata files at revision match (403)
- Fix
clone_or_pull
(402)
0.29.1 - 02/07/2024
- Add a test for updating a repositories which references other authentication repositories. Test repositories are set up programmatically (386)
- Update find_first_branch_matching_pattern return - only return name of the found branch and not all branches whose name did not match the pattern (387)
- Validation of local repositories should not fail if there are no local branches (e.g. after a fresh clone) (387)
- Fix GitError exception instantiations (387)
- -Fix a minor bug where update status was incorrectly being set in case when a repository with only one commit is cloned (386)
0.29.0 - 01/24/2024
- Print a warning if the conf file cannot be loaded when executing scripts ([384])
- Git: added a method for finding the newest branch whose name matches a certain pattern (375)
- Git: added a check if remote already exists (375)
- Only clone repositories if target files exists (381)
- Do not merge unauthenticated commits which are newer than the last authenticated commit if a repository can contain unauthenticated commits (381)
- Partially update authentication repositories up to the last valid commit (381)
- Check if there are uncommitted changes when running the updater (377)
- Implement updater pipeline (374)
- Improve error messages and error logging (374)
- Update target repositories in a breadth-first way (374)
- Fix update of repositories which reference other repositories ([384])
- Fix imports, do not require installation of yubikey-manager prior to running the update (376)
- Git: fix the commit method so that it raises an error if nothing is committed (375)
0.28.0 - 11/10/2023
- Implement tests for the functions which are directly called by the cli (API package) (362)
- Add push flag to all functions that used to always automatically push to remote in order to be able to prevent that behavior (362)
- Add a command for listing all roles (including delegated paths if applicable) whose metadata the inserted YubiKey can sign (362)
- Added mypy static type checking to pre-commit hook (360)
- Docs: update readme, add acknowledgements (365)
- Move add/remove dependencies to a separate module (362)
- Move all API helper functions to separate modules (362)
- Fixed errors reported by mypy (360)
- Fix loading of keys and create repo when old yubikey flag is used (370)
- Fix keys naming issue after adding a new signing key to a role that only had one signing key (362)
- Fix removal of targets when removing a role (362)
0.27.0 - 09/22/2023
- Automatically commit and push to remote unless a --no-commit flag is specified (357)
- Adding typing information to api functions and the git module (357)
- List keys of roles with additional information read from certificates command (355)
- Export certificate from the inserted YubiKey (355)
- Add signing keys given a public key when creating a new authentication repository (354)
- Allow specification of names of YubiKeys in repository description json (354)
- Model repository description json input using
attrs
andcattrs
and its validation (354) - Add test for repo initialization when it is directly inside drive's root (352)
- Add functions for adding/updating/removing dependencies to/from dependencies.json (338)
- Split tests into separate packages [(353)]
- Minor add/remove target repository improvements [(351)]
- Bump
cattrs
(349) - Improve CLI error handling (346)
- Update signing keys loading. Add a flag for specifying if the user will be asked to manually enter a key (346)
- Remove default branch specification from updater (343)
- Updater: only load repositories defined in the newest version of repositories.json (341)
- Updater: automatically determine url if local repository exists (340)
- Remove hosts and hosts.json (330)
- Fix list targets in case when the target repo is not up to date with remote (357)
- Fix repositories.json update when adding new target repository [(351)]
- Fix error when keystore path is not provided [(351)]
- Make it possible to execute commands that don't require yubikey without installing yubikey-manager (342)
- Fix commits per repositories function when same target commits are on different branches (337)
- Add missing
write
flag totaf targets sign
(329)
0.26.1 - 08/29/2023
- Bump
cattrs
(349)
0.26.0 - 07/12/2023
- Add command for adding/removing roles (314)
- Docstirngs logging improvements (325)
- Keystore path in roles_key_info calculated relative to where the json file is (321)
- Try to sign using a yubikey before asking the user if they want to use a yubikey (320)
- Split
developer_tool
into separate modules (314, 321)
- Fix create repository (325)
0.25.0 - 03/31/2023
- Update license, release under agpl (313)
- Fix execution of scripts (311)
0.24.0 - 02/21/2023
- Add git methods for adding an remove remotes and check if merge conflicts occurred (309)
- Add a command for updating and signing targets of specified typed (308)
- Use
generate_and_write_unencrypted_rsa_keypair
for no provided password (305)
0.23.1 - 01/13/2023
- Fix
clone_or_pull
method (303)
0.23.0 - 12/27/2022
- Auto-detect default branch (300)
- Remove pytest11 default entrypoint (301)
0.22.4 - 12/15/2022
- Pin
pyOpenSSL
to newer version (299)
0.22.3 - 12/14/2022
- Add missing tuf import in
log.py
(298)
0.22.2 - 12/14/2022
- Remove _tuf_patches in
__init__.py
(297)
0.22.1 - 12/14/2022
- Move _tuf_patches to repository lib (296)
0.22.0 - 12/09/2022
- Support first commits on branches with a missing branch file (292)
- Upgrade cryptography version (279)
- Turn expired metadata into a warning instead of an error by default (275)
- Upgraded our TUF fork to newer version (273)
- Pin securesystemslib and cryptography (294)
- Use
is_test_repo
AuthRepository property in updater (293) - Remove leftover git worktree code in error handling (291)
- Fix
get_role_repositories
to find common roles in bothrepositories.json
and metadata (286) - Replace buggy
all_fetched_commits
withall_commits_on_branch
(285) - Fix pygit2 performance regression (283)
- Fix
taf metadata update-expiration-date --role snapshot
to includeroot
(282) - Fix
all_commits_since_commit
to validate provided commit (278) - Remove pin for
PyOpenSSL
(273) - Fix
all_commits_since_commit
to validate provided commit (278) - Remove pin for
PyOpenSSL
(273)
0.21.1 - 09/07/2022
- Extended
top_commit_of_branch
, support references which are not branches, like HEAD (270) - Add pygit_repo error handling and fix couple of
git.py
logs (269)
0.21.0 - 08/30/2022
- Add support for multiple branch and capstone files (266)
- Add cli metadata command that checks if metadata roles are soon to expire (261)
- Document a solution to a YubiKey communication issue (257)
- If target role expiration date is being updated, sign timestamp and snapshot automatically (261)
--clients-auth-path
repo command improvements (260)- port a number of git functionalities to pygit2 (227)
- Migrated yubikey-manager from v3.0.0 to v4.0.* (191)
- Do not remove authentication repository folder when running
taf repo validate
(267) - fix git push - remove pygit2 push implementation which does not fully support ssh (263)
- Warn when git object cleanup fails (
idx
,pack
) and include cleanup warning message (259)
0.20.0 - 06/22/2022
0.19.0 - 06/14/2022
- Loosen dependencies and pin pynacl (254)
0.18.0 - 05/31/2022
- Add support for Python 3.10 (247)
- Enable exclusion of certain target repositories from the update process (250)
- Update
_get_unchanged_targets_metadata
-updated_roles
is now a list (246)
0.17.0 - 05/04/2022
- Add auth commit to sorted_commits_and_branches_per_repositories (240)
- Add --version option to cli (239)
- Add TAF's repository classes and repositoriesdb's documentation (237)
- Add
--ff-only
to git merge (235) - Added format-output flag to update repo cli (234)
- Cache loaded git files (228)
- Add a flag for generating performance reports of update calls and print total update execution time (228)
- Update
targets_at_revisions
- only update a list of roles if a metadata file was added (228)
0.16.0 - 04/16/2022
- Add
allow_unsafe
flag to git repo class as a response to a recent git security fix (229)
- Remove
no_checkout=True
fromclone
(226) - Remove
--error-if-unauthenticated
flag (220) - Change
clients-auth-path
intaf repo update
to optional. (213) - Only clone if directory is empty (211)
- Fix updates of repos which only contain one commit (219)
- Fixed
_validate_urls
and local validation (216)
0.15.0 - 02/11/2022
- Docs: add
info.json
example (236) Update
handler pipeline, showcase mapping dict fields to class types withattrs
+cattrs
. (206)- Schema for update handler. (206)
- Add
type
tests forattrs
structuring. (206)
- perf: re-implementing slow git cmds with pygit2 (207)
- Specify a list of repositories which shouldn't contain additional commits instead of just specifying a flag (203)
- Update handler fix: return an empty list of targets if the targets folder does not exist (208)
- pytest works when taf installed via wheel (200)
0.14.0 - 01/25/2022
- Specify a list of repositories which shouldn't contain additional commits instead of just specifying a flag (203)
- Raise an error if a repository which should not contain additional commits does so (203)
- Do not merge target commits if update as a whole will later fail (203)
0.13.4 - 01/20/2022
- Trim text read from the last_validated_commit file (201)
0.13.3 - 11/18/2021
- Update create local branch git command - remove checkout (197)
- Iterate throuh all urls when checking if a local repo is synced with remote (197)
0.13.2 - 11/11/2021
- Remove commit checkout and checkout the latest branch for each target repository (195)
- If top commit of the authentication repository is not the same as the
last_validated_commit
, validate the newer commits as if they were just pulled (195)
0.13.1 - 10/22/2021
- Pass default branch to sorted_commits_and_branches_per_repositories (185)
0.13.0 - 10/20/2021
- Pin cryptography and pyOpenSSL versions to keep compatibility with yubikey-manager 3.0.0 (184)
0.12.0 - 10/18/2021
- Updated cryptography version (183)
- Fix validate local repo command (183)
- Exclude test date from wheels (182)
0.11.1 - 09/29/2021
- Removed generate schema docs due to their long names causing issues on Windows when installing taf (181)
0.11.0 - 09/28/2021
- Added support for skipping automatic checkout (179)
- Compare current head commit according to the auth repo and top commit of target repo and raise an error if they are different (179)
- Automatically remove current and previous directories if they exist before instantiating tuf repo (179)
- Fixed branch exists check. Avoid wrongly returning true if there is a warning (179)
- Fixed update of repos which can contain unauhtenticated commits - combine fetched and existing commits (179)
- Fixed handling of additional commits on a branch (179)
0.10.1 - 08/16/2021
- Do not raise an error if the hosts file is missing (177)
0.10.0 - 07/20/2021
- Update click to 7.1 (176)
0.9.0 - 06/30/2021
- Initial support for executing handlers. Handlers are scripts contained by auth repos which can be used to execute some code after successful/failed update of a repository and/or a host. (164)
- Implemented delegation of auth repositories - an auth repository can reference others by defining a special target file
dependencies.json
. Updater will pull all referenced repositories. (164) - Provided a way of specifying hosts of repositories though a special target file called
hosts.json
(164) - Verification of the initial commit of a repository given
out-of-band-authentication
commit either directly passed into the udater or stored independencies.json
of the parent auth repo. (164)
- Renamed
repo_name
andrepo_urls
attributes toname
andurls
andadditional_info
tocustom
(164) - Reworked repository classes (164)
- Transition from TravisCI to Github Actions (173)
0.8.1 - 04/14/2021
- Added a command for checking validity of the inserted YubiKey's pin (165)
- Raise an error if there are additional commits newer than the last authenticated commit if the updater is called with the check-authenticated flag (161)
- Added initial worktrees support to the updater (161)
- Added support for specifying location of the conf directory (161)
- Added a function for disabling fie logging (161)
- Raise keystore error when key not found in keystore directory 166
- Replaced authenticate-test-repo flag with an enum (161)
- Minor validation command fix (161)
0.8.0 - 02/09/2021
- Pin cryptography version (162)
0.7.2 - 11/11/2020
- Add a command for adding new new delegated roles (158)
0.7.1 - 10/28/2020
- Small branches_containing_commit git method fix following git changes (156)
0.7.0 - 10/16/2020
- Add support for fully disabling tuf logging (154)
- Add support for including additional custom information when exporting historical data (147)
- Store authentication repo's path as key in
repositoriesdb
instead of its name (153)
- Minor YubiKey mock fix (153)
- Updated some git methods so that it is checked if the returned value is not
None
before calling strip (153)
0.6.1 - 09/09/2020
- Get binary file from git (skip encoding) (148)
0.6.0 - 08/11/2020
- Git method for getting the first commit on a branch (145)
- Minor check capstone validation update (145)
- Check if specified target repositories exist before trying to export historical commits data (144)
0.5.2 - 07/21/2020
- Git method for removing remote tracking branches (142)
- Check remote repository when checking if a branch already exists (142)
0.5.1 - 06/25/2020
- Documentation updates (140)
- Set
only_load_targets
parameter toTrue
by default inrepositoriesdb
(139) - Use
_load_signing_keys
inadd_signing_key
(138) - Raise a nicer error when instantiating a TUF repository if it is invalid (137)
- Fix loading targets metadata files in
repositoriesdb
(139)
0.5.0 - 06/04/2020
- Add
repositoriesdb
tests (134) - Add support for defining urls using a separate
mirrors.json
file (134) - Add a command for exporting targets historical data (133)
- Updated
repositoriesdb
so that delegated target roles are taken into considerations when finding targets data (134) sorted_commits_and_branches_per_repositories
returns additional targets data and not just commits (133)
0.4.1 - 05/12/2020
- Error handling and logging improvements (131)
0.4.0 - 05/01/2020
- Git method to create orphan branch (129)
- Added updater check which verifies that metadata corresponding to the last commit has not yet expired (124)
- Additional updater tests (124)
- Added command for validating repositories without updating them (124)
- Import error handling for
taf.yubikey
module (120) - Updater tests which validate updated root metadata (118)
- New test cases for updating targets/delegations metadata (116)
- Create empty targets directory before instantiating tuf repository if it does not exist (114)
- When creating a new repository, print user's answers to setup question as json (114)
- Sign all target files which are found inside the targets directory when creating a new repository (114)
- Minor logging updates (126)
- Updater: Partial repo factory (125)
- Logging formats (120)
- Use common role of given targets during update of targets/delegations metadata (116)
- Changed format of keys description json, as it can now contain roles' description under "roles" key and keystore path under "keystore" key (114)
- Import errors (ykman) inside tests (129)
- Fixed addition of new signing key so that this functionality works in case of delegated roles (128)
- Fixed synced_with_remote (121)
- Signing fixes with keystore keys (120)
- Load signing keys minor fixes (120 117)
- Normalize target files when creating a new repository (117)
0.3.1 - 03/21/2020
- Move safely_get_json to base git repository class (105)
update_role_keystores
fix (112)create_repo
fix (111)- Load repositories exits early if the authentication repo has not commits (106)
- Fix
clone_or_pull
(105)
0.3.0 - 03/03/2020
- Add a check if at least one rpeository was loaded (102)
- Add
*args
and**kwargs
arguments to repository classes (102) - Add a method for instantiating TUF repository at a given revision (101)
- Add support for validating delegated target repositories to the updater (101)
- Add delegations tests (98)
- Add support for delegated targets roles (97, 98, [99], 100)
- Renamed
repo_name
toname
andrepo_path
topath
(101) - Updated
add_targets
so that it fully supports delegated roles (98) - Refactored tests so that it is possible to create and use more than one taf repository (98)
- Separated commands into sub-commands (96)
- Use
root-dir
andnamespace
instead oftarget-dir
(96)
- Fix init and create repo commands (96)
0.2.2 - 01/06/2020
- Updater: support validation of multiple branches of target repositories (91)
- Add a method which deletes all target files which are not specified in targets.json (90)
- Fix
update_target_repos_from_repositories_json
(91)
0.2.1 - 12/19/2019
- Add
update_expiration_date
CLI command (86) - Add
set_remote_url
git method and branch as the input parameter oflist_commits
(84)
- Logging rework - use loguru library (83)
- Fix
update_expiration_date_keystore
andget_signable_metadata
(86) - Fix branch exists git function (82)
0.2.0 - 11/30/2019
- Added commands for setting up yubikeys, exporting public keys and adding new signing keys (79)
- Created standardized yubikey prompt (79)
- Creation of new repositories made more robust (79)
0.1.8 - 11/12/2019
- Numerous new git methods (74, 75)
- Initial pre-commit configuration (black + flake8 + bandit) (69)
- Add changelog (69)
- Add pull request template (69)
- Updated validation of branches (73)
- Move tests to the main package (72)
- Updated travis script (69)
- Remove python 3.6 support (69)
- Use f-strings instead of format (69)
0.1.7 - 09/30/2019
- Add helper method to check if given commit has ever been validated (65)
- Pass scheme argument when loading timestamp and snapshot keys (66)
- Updated default logs location (67)
0.1.6 - 09/05/2019
- Update oll-tuf version (63)
- Remove utils function for importing RSA keys and refactor other files (63)
- Fix azure pipeline script (include libusb in wheels) (63)
0.1.5 - 08/29/2019
- Initial Version