The Update Framework (TUF) logo

The Update Framework (TUF)

TUF (The Update Framework) is a CNCF graduated framework for securing software update systems. It provides a specification for how software repositories should be structured and how clients should verify updates to protect against key compromise, rollback attacks, and mix-and-match attacks. TUF is used by many package managers and update systems including PyPI, Sigstore, and various Linux distributions. The framework defines a four-role metadata structure (root, targets, snapshot, timestamp) with threshold signing and delegation capabilities for scalable trust management.

7 APIs 0 Features
CNCFCloud NativeGraduatedSecuritySoftware Supply ChainSoftware UpdatesVerification

APIs

TUF Repository Specification

The TUF specification defines the structure of update repositories including the root, targets, snapshot, and timestamp metadata files. Each metadata file has a defined schema w...

TUF Python Reference Implementation

The official Python reference implementation of The Update Framework (TUF) specification. Provides a metadata API for reading and writing TUF metadata files, an ngclient API imp...

TUF Go Implementation

A Go implementation of The Update Framework (TUF), heavily influenced by python-tuf's design. Provides metadata, TrustedMetadata, and Updater packages implementing the TUF clien...

TUF Rust Implementation

A Rust implementation of The Update Framework (TUF) specification providing a strongly-typed API for working with TUF metadata, verifying signatures, and implementing the TUF cl...

TUF JavaScript Implementation

A JavaScript/TypeScript implementation of The Update Framework (TUF) for use in Node.js environments and browser-based update systems. Enables TUF-compliant software update veri...

TUF on CI

A TUF repository management and signing tool designed for use in CI/CD pipelines. Enables teams to maintain a TUF repository using GitHub Actions and other CI systems for automa...

TUF Conformance Test Suite

The official TUF client conformance test suite for verifying that TUF client implementations correctly implement the TUF specification, including proper handling of all attack v...

Semantic Vocabularies

Tuf Context

0 classes · 12 properties

JSON-LD

Resources

🔗
Website
Website
🔗
Documentation
Documentation
🚀
GettingStarted
GettingStarted
👥
GitHub Organization
GitHub Organization
👥
GitHubRepository
GitHubRepository
🔗
Specification
Specification
📰
Blog
Blog
🔗
CNCF
CNCF
🔗
Community
Community
🔗
JSON-LD
JSON-LD
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema
🔗
Vocabulary
Vocabulary

Sources

apis.yml Raw ↑ 
aid: tuf
name: The Update Framework (TUF)
description: >-
  TUF (The Update Framework) is a CNCF graduated framework for securing
  software update systems. It provides a specification for how software
  repositories should be structured and how clients should verify updates
  to protect against key compromise, rollback attacks, and mix-and-match
  attacks. TUF is used by many package managers and update systems including
  PyPI, Sigstore, and various Linux distributions. The framework defines
  a four-role metadata structure (root, targets, snapshot, timestamp) with
  threshold signing and delegation capabilities for scalable trust management.
url: https://theupdateframework.io
image: https://kinlane-productions2.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
  - CNCF
  - Cloud Native
  - Graduated
  - Security
  - Software Supply Chain
  - Software Updates
  - Verification
created: '2026-03-16'
modified: '2026-05-03'
specificationVersion: '0.19'
type: Index
apis:
  - aid: tuf:tuf-spec
    name: TUF Repository Specification
    description: >-
      The TUF specification defines the structure of update repositories
      including the root, targets, snapshot, and timestamp metadata files.
      Each metadata file has a defined schema with signatures, expiration
      dates, and delegation rules. Clients follow a defined verification
      workflow to securely resolve and download updates while protecting
      against various attack vectors including key compromise, rollback attacks,
      freeze attacks, and mix-and-match attacks. The specification is version 1.0.31.
    humanURL: https://theupdateframework.github.io/specification/latest/
    properties:
      - type: Documentation
        url: https://theupdateframework.github.io/specification/latest/
      - type: GitHubRepository
        url: https://github.com/theupdateframework/specification
      - type: JSONSchema
        url: json-schema/tuf-root-metadata-schema.json
      - type: JSONSchema
        url: json-schema/tuf-targets-metadata-schema.json
      - type: JSONSchema
        url: json-schema/tuf-snapshot-metadata-schema.json
      - type: JSONSchema
        url: json-schema/tuf-timestamp-metadata-schema.json
    tags:
      - Metadata
      - Repository Metadata
      - Specification
      - Verification
  - aid: tuf:python-tuf
    name: TUF Python Reference Implementation
    description: >-
      The official Python reference implementation of The Update Framework (TUF)
      specification. Provides a metadata API for reading and writing TUF metadata
      files, an ngclient API implementing the TUF client update workflow, and a
      repository library for building TUF-compliant software repositories.
      Available on PyPI as the 'tuf' package.
    humanURL: https://theupdateframework.readthedocs.io/en/stable/
    properties:
      - type: Documentation
        url: https://theupdateframework.readthedocs.io/en/stable/
      - type: GitHubRepository
        url: https://github.com/theupdateframework/python-tuf
      - type: PackageRegistry
        url: https://pypi.org/project/tuf/
    tags:
      - Client Library
      - Python
      - Security
      - Software Updates
      - Supply Chain
  - aid: tuf:go-tuf
    name: TUF Go Implementation
    description: >-
      A Go implementation of The Update Framework (TUF), heavily influenced by
      python-tuf's design. Provides metadata, TrustedMetadata, and Updater
      packages implementing the TUF client workflow and specification-compliant
      metadata handling, as well as multi-repository support via TAP 4.
    humanURL: https://github.com/theupdateframework/go-tuf
    properties:
      - type: Documentation
        url: https://github.com/theupdateframework/go-tuf
      - type: GitHubRepository
        url: https://github.com/theupdateframework/go-tuf
    tags:
      - Client Library
      - Go
      - Security
      - Software Updates
      - Supply Chain
  - aid: tuf:rust-tuf
    name: TUF Rust Implementation
    description: >-
      A Rust implementation of The Update Framework (TUF) specification providing
      a strongly-typed API for working with TUF metadata, verifying signatures,
      and implementing the TUF client update workflow.
    humanURL: https://github.com/theupdateframework/rust-tuf
    properties:
      - type: GitHubRepository
        url: https://github.com/theupdateframework/rust-tuf
    tags:
      - Client Library
      - Rust
      - Security
      - Software Updates
  - aid: tuf:tuf-js
    name: TUF JavaScript Implementation
    description: >-
      A JavaScript/TypeScript implementation of The Update Framework (TUF) for
      use in Node.js environments and browser-based update systems. Enables
      TUF-compliant software update verification in the JavaScript ecosystem.
    humanURL: https://github.com/theupdateframework/tuf-js
    properties:
      - type: GitHubRepository
        url: https://github.com/theupdateframework/tuf-js
    tags:
      - Client Library
      - JavaScript
      - Security
      - Software Updates
      - TypeScript
  - aid: tuf:tuf-on-ci
    name: TUF on CI
    description: >-
      A TUF repository management and signing tool designed for use in CI/CD
      pipelines. Enables teams to maintain a TUF repository using GitHub Actions
      and other CI systems for automated, policy-driven key management and metadata
      signing workflows.
    humanURL: https://github.com/theupdateframework/tuf-on-ci
    properties:
      - type: GitHubRepository
        url: https://github.com/theupdateframework/tuf-on-ci
    tags:
      - CI/CD
      - Key Management
      - Repository Management
      - Security
  - aid: tuf:tuf-conformance
    name: TUF Conformance Test Suite
    description: >-
      The official TUF client conformance test suite for verifying that TUF client
      implementations correctly implement the TUF specification, including proper
      handling of all attack vectors and edge cases.
    humanURL: https://github.com/theupdateframework/tuf-conformance
    properties:
      - type: GitHubRepository
        url: https://github.com/theupdateframework/tuf-conformance
    tags:
      - Compliance
      - Conformance Testing
      - Security
      - Testing
common:
  - type: Website
    url: https://theupdateframework.io/
  - type: Documentation
    url: https://theupdateframework.io/docs/
  - type: GettingStarted
    url: https://theupdateframework.io/docs/getting-started/
  - type: GitHub Organization
    url: https://github.com/theupdateframework
  - type: GitHubRepository
    url: https://github.com/theupdateframework/python-tuf
  - type: Specification
    url: https://theupdateframework.github.io/specification/latest/
  - type: Blog
    url: https://theupdateframework.io/resources/news/
  - type: CNCF
    url: https://www.cncf.io/projects/the-update-framework-tuf/
  - type: Community
    url: https://github.com/theupdateframework/community
  - type: JSON-LD
    url: json-ld/tuf-context.jsonld
  - type: JSONSchema
    url: json-schema/tuf-root-metadata-schema.json
  - type: JSONSchema
    url: json-schema/tuf-targets-metadata-schema.json
  - type: JSONSchema
    url: json-schema/tuf-snapshot-metadata-schema.json
  - type: JSONSchema
    url: json-schema/tuf-timestamp-metadata-schema.json
  - type: Vocabulary
    url: vocabulary/tuf-vocabulary.yml
maintainers:
  - FN: Kin Lane
    email: [email protected]