Last September, our VMware colleague Joshua Lock offered a comprehensive overview of how TUF (The Update Framework) is helping advance software supply chain security. Since then, urgency around the issue has only increased, with high-profile incidents such as December’s SolarWinds and the April 2021 Codecov attacks provoking industry and government responses like the May 2021, White House Executive Order that will require US technology suppliers to prove that their supply chains are secure.
TUF is both an open source framework and specification for securing the content in a content repository that developers can adopt into any software update system. In addition to having a reference implementation, TUF secures updates for Amazon’s AWS Labs’ Bottlerocket operating system, and Google’s Fuchsia R&D OS, among others. TUF also provides the basis for package signing integrity of Docker container images. Over the last year, rising concern around software supply chain security has heightened industry interest and engagement across this broad ecosystem. But in this post we want to highlight what has been going on with TUF itself.
If 2020 was about solidifying the foundational framework for TUF, our efforts this year have focused on making it easier to access and use. To that end we recently published a more accessibly-rendered version of the TUF specification. We’re currently updating TUF’s documentation to make it easier for developers to find the new components that we think are going to make their lives a lot easier.
TUF is now a modern Python project
A much larger project involved creating a new TUF reference implementation component in the form of a “low-level” metadata API designed to provide easier access to TUF metadata.
The new API is built using modern Python and takes advantage of modern Python tools such as annotations and static type checking. It handles TUF metadata serialization and offers a “low-level” view into TUF in the sense that it provides a clearly defined interface to the metadata itself but does not introduce higher level concepts like “repository” or “update workflow”. This low-level API will make it easier to define those concepts in other components. On top of that, the API is now much easier to map to the specification.
In addition, we initiated a “next-gen” client implementation, ngclient, built on top of the Metadata API and also written in modern Python. This offers a clean, easy-to-validate reference client implementation that is also easier to improve and work with. Our hope is that it will become the library of choice for anyone implementing a TUF client in Python: lightweight, easy to integrate, and with minimal required dependencies. This implementation is still under development, but is already usable and will eventually become the default TUF client (i.e., the older tuf.client will be deprecated in the future).
Protecting the Python software supply chain
Meanwhile, work on using TUF to protect the Python software supply chain continues. Much of this happens in Warehouse (the software powering pypi.org) and pip (the most used PyPI client). In October the Python Software Foundation held a key generation ceremony for The Python Package Index, marking an important step forward in the collective effort to secure the Python software supply chain.
We’ve also made progress with TUF integration on the PyPI client side. After making some targeted improvements to TUF itself and a few small changes in the planned repository architecture, pip now has a working proof-of-concept.
This work with Warehouse and pip offered the TUF team a valuable perspective on how massive update systems operate in the real world and how TUF should integrate with them. That perspective led us to make several key improvements to the project, the most significant being new abstractions that large systems can plug their implementations into. These include:
- A storage abstraction (so metadata does not have to be stored in files)
- A signing abstraction (so signing is compatible with whatever secrets management solution is used)
- A download abstraction (so clients can use their preferred stack for network IO)
It’s great to have TUF at a point where implementing new tools requires vastly fewer lines of code than it used to, and to have a client implementation that is significantly easier to understand and improve. TUF is now more approachable to more people, and more helpful as a reference for other implementations.
Looking ahead, we have several interesting new projects underway, including an experimental command line repository editor (a VMware labs project) that we wrote to confirm that the metadata API would indeed let us build a command line repository editor with just a few hundred lines of code. The same code also enables TUF repository automation using Github Actions – expect to see more related demos in the future.
As developers interested in supply chain security, we’re also thinking about some of the larger challenges that remain to be tackled in the space. One that interests us both right now is expanding the reach of projects like TUF beyond the group of developers who are willing to use PGP and manage to store their private keys securely: Sigstore provides a very interesting combination of temporary signing certificates and OpenID authentication by identity providers like Google or Microsoft. TUF and Sigstore project members are already discussing how these technologies could be used in TUF: stay tuned for more news on this.
In the meantime, If you are interested in learning more about TUF, or in helping us make it even easier to work with and even more useful to more projects, do get in touch. You can find us and the rest of the team through GitHub, our Slack channel and mailing list or just go directly to our updated list of good starting issues and pick one to try.