The Update Framework (TUF) website screenshot

The Update Framework (TUF)

TUF (The Update Framework) is a CNCF graduated framework for securing software update systems. It provides a specification for how software repositories should be structured and how clients should verify updates to protect against key compromise, rollback attacks, and mix-and-match attacks. TUF is used by many package managers and update systems including PyPI, Sigstore, and various Linux distributions. The framework defines a four-role metadata structure (root, targets, snapshot, timestamp) with threshold signing and delegation capabilities for scalable trust management.

7 APIs 0 Features
CNCFCloud NativeGraduatedSecuritySoftware Supply ChainSoftware UpdatesVerification

APIs

TUF Repository Specification

The TUF specification defines the structure of update repositories including the root, targets, snapshot, and timestamp metadata files. Each metadata file has a defined schema w...

TUF Python Reference Implementation

The official Python reference implementation of The Update Framework (TUF) specification. Provides a metadata API for reading and writing TUF metadata files, an ngclient API imp...

TUF Go Implementation

A Go implementation of The Update Framework (TUF), heavily influenced by python-tuf's design. Provides metadata, TrustedMetadata, and Updater packages implementing the TUF clien...

TUF Rust Implementation

A Rust implementation of The Update Framework (TUF) specification providing a strongly-typed API for working with TUF metadata, verifying signatures, and implementing the TUF cl...

TUF JavaScript Implementation

A JavaScript/TypeScript implementation of The Update Framework (TUF) for use in Node.js environments and browser-based update systems. Enables TUF-compliant software update veri...

TUF on CI

A TUF repository management and signing tool designed for use in CI/CD pipelines. Enables teams to maintain a TUF repository using GitHub Actions and other CI systems for automa...

TUF Conformance Test Suite

The official TUF client conformance test suite for verifying that TUF client implementations correctly implement the TUF specification, including proper handling of all attack v...

Pricing Plans

Tuf Plans Pricing

3 plans

PLANS

Rate Limits

Tuf Rate Limits

5 limits

RATE LIMITS

FinOps

Tuf Finops

FINOPS

Semantic Vocabularies

Tuf Context

0 classes · 12 properties

JSON-LD

JSON Structure

Tuf Root Metadata Structure

0 properties

JSON STRUCTURE

Tuf Targets Metadata Structure

0 properties

JSON STRUCTURE

Example Payloads

Tuf Root Metadata Example

3 fields

EXAMPLE

Tuf Targets Metadata Example

3 fields

EXAMPLE

Resources

🔗
Website
Website
🔗
Documentation
Documentation
🚀
GettingStarted
GettingStarted
👥
GitHubOrganization
GitHubOrganization
👥
GitHubRepository
GitHubRepository
🔗
Specification
Specification
📰
Blog
Blog
🔗
CNCF
CNCF
🔗
Community
Community
🔗
JSONLD
JSONLD
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema
🔗
Vocabulary
Vocabulary

Sources

apis.yml Raw ↑
aid: tuf
name: The Update Framework (TUF)
description: TUF (The Update Framework) is a CNCF graduated framework for securing software update systems. It provides a
  specification for how software repositories should be structured and how clients should verify updates to protect against
  key compromise, rollback attacks, and mix-and-match attacks. TUF is used by many package managers and update systems including
  PyPI, Sigstore, and various Linux distributions. The framework defines a four-role metadata structure (root, targets, snapshot,
  timestamp) with threshold signing and delegation capabilities for scalable trust management.
url: https://theupdateframework.io
image: https://kinlane-images.s3.amazonaws.com/shared/apis-json/apis-json-logo.jpg
tags:
- CNCF
- Cloud Native
- Graduated
- Security
- Software Supply Chain
- Software Updates
- Verification
created: '2026-03-16'
modified: '2026-05-03'
specificationVersion: '0.19'
type: Index
apis:
- aid: tuf:tuf-spec
  name: TUF Repository Specification
  description: The TUF specification defines the structure of update repositories including the root, targets, snapshot, and
    timestamp metadata files. Each metadata file has a defined schema with signatures, expiration dates, and delegation rules.
    Clients follow a defined verification workflow to securely resolve and download updates while protecting against various
    attack vectors including key compromise, rollback attacks, freeze attacks, and mix-and-match attacks. The specification
    is version 1.0.31.
  humanURL: https://theupdateframework.github.io/specification/latest/
  properties:
  - type: Documentation
    url: https://theupdateframework.github.io/specification/latest/
  - type: GitHubRepository
    url: https://github.com/theupdateframework/specification
  - type: JSONSchema
    url: json-schema/tuf-root-metadata-schema.json
  - type: JSONSchema
    url: json-schema/tuf-targets-metadata-schema.json
  - type: JSONSchema
    url: json-schema/tuf-snapshot-metadata-schema.json
  - type: JSONSchema
    url: json-schema/tuf-timestamp-metadata-schema.json
  tags:
  - Metadata
  - Repository Metadata
  - Specification
  - Verification
- aid: tuf:python-tuf
  name: TUF Python Reference Implementation
  description: The official Python reference implementation of The Update Framework (TUF) specification. Provides a metadata
    API for reading and writing TUF metadata files, an ngclient API implementing the TUF client update workflow, and a repository
    library for building TUF-compliant software repositories. Available on PyPI as the 'tuf' package.
  humanURL: https://theupdateframework.readthedocs.io/en/stable/
  properties:
  - type: Documentation
    url: https://theupdateframework.readthedocs.io/en/stable/
  - type: GitHubRepository
    url: https://github.com/theupdateframework/python-tuf
  - type: PackageRegistry
    url: https://pypi.org/project/tuf/
  tags:
  - Client Library
  - Python
  - Security
  - Software Updates
  - Supply Chain
- aid: tuf:go-tuf
  name: TUF Go Implementation
  description: A Go implementation of The Update Framework (TUF), heavily influenced by python-tuf's design. Provides metadata,
    TrustedMetadata, and Updater packages implementing the TUF client workflow and specification-compliant metadata handling,
    as well as multi-repository support via TAP 4.
  humanURL: https://github.com/theupdateframework/go-tuf
  properties:
  - type: Documentation
    url: https://github.com/theupdateframework/go-tuf
  - type: GitHubRepository
    url: https://github.com/theupdateframework/go-tuf
  tags:
  - Client Library
  - Go
  - Security
  - Software Updates
  - Supply Chain
- aid: tuf:rust-tuf
  name: TUF Rust Implementation
  description: A Rust implementation of The Update Framework (TUF) specification providing a strongly-typed API for working
    with TUF metadata, verifying signatures, and implementing the TUF client update workflow.
  humanURL: https://github.com/theupdateframework/rust-tuf
  properties:
  - type: GitHubRepository
    url: https://github.com/theupdateframework/rust-tuf
  tags:
  - Client Library
  - Rust
  - Security
  - Software Updates
- aid: tuf:tuf-js
  name: TUF JavaScript Implementation
  description: A JavaScript/TypeScript implementation of The Update Framework (TUF) for use in Node.js environments and browser-based
    update systems. Enables TUF-compliant software update verification in the JavaScript ecosystem.
  humanURL: https://github.com/theupdateframework/tuf-js
  properties:
  - type: GitHubRepository
    url: https://github.com/theupdateframework/tuf-js
  tags:
  - Client Library
  - JavaScript
  - Security
  - Software Updates
  - TypeScript
- aid: tuf:tuf-on-ci
  name: TUF on CI
  description: A TUF repository management and signing tool designed for use in CI/CD pipelines. Enables teams to maintain
    a TUF repository using GitHub Actions and other CI systems for automated, policy-driven key management and metadata signing
    workflows.
  humanURL: https://github.com/theupdateframework/tuf-on-ci
  properties:
  - type: GitHubRepository
    url: https://github.com/theupdateframework/tuf-on-ci
  tags:
  - CI/CD
  - Key Management
  - Repository Management
  - Security
- aid: tuf:tuf-conformance
  name: TUF Conformance Test Suite
  description: The official TUF client conformance test suite for verifying that TUF client implementations correctly implement
    the TUF specification, including proper handling of all attack vectors and edge cases.
  humanURL: https://github.com/theupdateframework/tuf-conformance
  properties:
  - type: GitHubRepository
    url: https://github.com/theupdateframework/tuf-conformance
  tags:
  - Compliance
  - Conformance Testing
  - Security
  - Testing
common:
- type: Website
  url: https://theupdateframework.io/
- type: Documentation
  url: https://theupdateframework.io/docs/
- type: GettingStarted
  url: https://theupdateframework.io/docs/getting-started/
- type: GitHubOrganization
  url: https://github.com/theupdateframework
- type: GitHubRepository
  url: https://github.com/theupdateframework/python-tuf
- type: Specification
  url: https://theupdateframework.github.io/specification/latest/
- type: Blog
  url: https://theupdateframework.io/resources/news/
- type: CNCF
  url: https://www.cncf.io/projects/the-update-framework-tuf/
- type: Community
  url: https://github.com/theupdateframework/community
- type: JSONLD
  url: json-ld/tuf-context.jsonld
- type: JSONSchema
  url: json-schema/tuf-root-metadata-schema.json
- type: JSONSchema
  url: json-schema/tuf-targets-metadata-schema.json
- type: JSONSchema
  url: json-schema/tuf-snapshot-metadata-schema.json
- type: JSONSchema
  url: json-schema/tuf-timestamp-metadata-schema.json
- type: Vocabulary
  url: vocabulary/tuf-vocabulary.yml
maintainers:
- FN: Kin Lane
  email: kin@apievangelist.com