Metadata-Version: 2.4
Name: conda-content-trust
Version: 0.2.0
Summary: Signing and verification tools, geared toward the conda ecosystem.
Project-URL: repository, https://github.com/conda/conda-content-trust
Project-URL: changelog, https://github.com/conda/conda-content-trust/blob/main/CHANGELOG.md
Author-email: "Anaconda, Inc." <conda@continuum.io>
License: BSD License
        
        Copyright (c) 2019, Anaconda, Inc.
        All rights reserved.
        
        Redistribution and use in source and binary forms, with or without modification,
        are permitted provided that the following conditions are met:
        
        * Redistributions of source code must retain the above copyright notice, this
          list of conditions and the following disclaimer.
        
        * Redistributions in binary form must reproduce the above copyright notice, this
          list of conditions and the following disclaimer in the documentation and/or
          other materials provided with the distribution.
        
        * Neither the name of the copyright holder nor the names of its
          contributors may be used to endorse or promote products derived from this
          software without specific prior written permission.
        
        THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
        ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
        WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
        IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
        INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
        BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
        DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
        OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
        OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
        OF THE POSSIBILITY OF SUCH DAMAGE.
License-File: AUTHORS.md
License-File: LICENSE
Keywords: authentication,compromise,conda,conda-authentication-resources,conda-content-trust,key,secure,signing,verify
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: BSD License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Requires-Python: >=3.8
Requires-Dist: cryptography>=41
Provides-Extra: gpgsigning
Requires-Dist: securesystemslib==0.13.1; extra == 'gpgsigning'
Description-Content-Type: text/markdown

[ci-tests-badge]: https://github.com/conda/conda-content-trust/actions/workflows/tests.yml/badge.svg
[codecov-badge]: https://img.shields.io/codecov/c/github/conda/conda-content-trust/main.svg?label=coverage
[release-badge]: https://img.shields.io/github/release/conda/conda-content-trust.svg

# Conda Content Trust: Signing and verification tools for Conda

[![Tests (GitHub Actions)][ci-tests-badge]](https://github.com/conda/conda-content-trust/actions/workflows/tests.yml)
[![Codecov Status][codecov-badge]](https://codecov.io/gh/conda/conda-content-trust/branch/main)
[![latest release version][release-badge]](https://github.com/conda/conda-content-trust/releases)

*What:* Based on [The Update Framework (TUF)](https://theupdateframework.io/), conda-content-trust is intended to ensure that when users in the conda ecosystem obtain a package or data about that package, they can know whether or not it is trustworthy (e.g. originally comes from a reliable source and has not been tampered with).  A basic library and basic CLI are included to provide signing, verification, and trust delegation functionality.

*Why:* This exists as an alteration of TUF because of the very particular needs of the conda ecosystem.  (Developers are encouraged to *just use TUF* whenever possible!)

*Where:* This tool is general purpose.  It is currently used in conda 4.10.1+ to verify package metadata signatures when they are available ([announcement](https://www.anaconda.com/blog/conda-signature-verification), [instructions](https://docs.anaconda.com/anaconda-commercial/security)).

## Installation

Installation can be accomplished via conda:

```
conda install conda-content-trust
```

Or via pip:

```
pip install conda-content-trust
```

(If you intend to tinker with the code, feel free to use an editable install: `pip install -e .`)

### Optional Dependencies for Producing Signatures with GPG Keys / YubiKeys

If you intend to *create* *GPG* key signatures (as opposed to the typical non-GPG signatures), and/or you intend to use the YubiKey interface, you will need to install two optional dependencies:

- `GPG` (any gpg client that provides command-line gpg functionality should do)
- `securesystemslib` (`pip install securesystemslib`)

## Demonstration and Use

Use of the command-line utility provides help functionality::

```
conda-content-trust --help
```

You should be able to run the demo after installing:

```
python3 demo.py
```

(Portions of the demo may require the optional dependencies above.)


## Testing

Each set of tests is a module in the `tests/` directory.  These can all be run with:

```
pytest
```
