Skip to content

trust

πŸ€– AI-Generated Content

This documentation was generated with AI assistance and is still being audited. Some, or potentially a lot, of this information may be inaccurate. Learn more.

flavor.commands.trust

flavor trust β€” manage the trusted signing key store.

Classes

Functions

trust_add 

trust_add(
    key_file: str, name: str | None, global_: bool
) -> None

Add a public key to the trusted-keys store.

Source code in flavor/commands/trust.py 
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
@trust_group.command("add")
@click.argument("key_file", type=click.Path(exists=True, dir_okay=False, resolve_path=True))
@click.option("--name", default=None, help="Human-readable label for this key.")
@click.option("--global", "global_", is_flag=True, default=False, help="Add to system store.")
def trust_add(key_file: str, name: str | None, global_: bool) -> None:
    """Add a public key to the trusted-keys store."""
    src = Path(key_file)
    try:
        raw_bytes = src.read_bytes()
        pem_lines = [
            line for line in raw_bytes.decode().splitlines() if not line.strip().startswith("# Name:")
        ]
        pub_key = load_pem_public_key("\n".join(pem_lines).encode())
        fp = compute_key_fingerprint(pub_key)
    except Exception as exc:
        perr(f"Failed to read key: {exc}")
        raise SystemExit(1) from exc

    store_dir = get_trusted_keys_dir(system=global_)
    store_dir.mkdir(parents=True, exist_ok=True)

    dest = store_dir / f"{fp[:16]}.pub"
    label = f"# Name: {name}\n".encode() if name else b""
    raw_pem = pub_key.public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo)
    dest.write_bytes(label + raw_pem)
    pout(f"Added key {fp[:16]}...  ({name or 'no label'})  β†’ {dest}")

trust_group 

trust_group() -> None

Manage the trusted signing key store.

Source code in flavor/commands/trust.py 
28
29
30
@click.group("trust")
def trust_group() -> None:
    """Manage the trusted signing key store."""

trust_list 

trust_list(global_: bool) -> None

List all trusted keys and their fingerprints.

Source code in flavor/commands/trust.py 
61
62
63
64
65
66
67
68
69
70
71
72
73
@trust_group.command("list")
@click.option("--global", "global_", is_flag=True, default=False, help="Show system store only.")
def trust_list(global_: bool) -> None:
    """List all trusted keys and their fingerprints."""
    keys = _load_keys_from_dir(get_system_config_dir() / "trusted-keys") if global_ else load_trusted_keys()

    if not keys:
        pout("No trusted keys found.")
        return

    for fp, info in sorted(keys.items()):
        label = info.get("name") or "(no label)"
        pout(f"  {fp}  {label}")

trust_remove 

trust_remove(fingerprint: str, global_: bool) -> None

Remove a key from the trusted-keys store by fingerprint.

Source code in flavor/commands/trust.py 
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
@trust_group.command("remove")
@click.argument("fingerprint")
@click.option("--global", "global_", is_flag=True, default=False, help="Remove from system store.")
def trust_remove(fingerprint: str, global_: bool) -> None:
    """Remove a key from the trusted-keys store by fingerprint."""
    store_dir = get_trusted_keys_dir(system=global_)
    if global_:
        keys = _load_keys_from_dir(get_system_config_dir() / "trusted-keys")
    else:
        keys = load_trusted_keys(include_system=False)

    if fingerprint not in keys:
        perr(f"Key not found: {fingerprint[:16]}...")
        raise SystemExit(1)

    key_path = Path(keys[fingerprint]["path"])
    key_path.unlink()
    pout(f"Removed {fingerprint[:16]}...  from {store_dir}")

trust_verify 

trust_verify(package_file: str) -> None

Check whether a package's signing key is in the trusted store.

Source code in flavor/commands/trust.py 
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
@trust_group.command("verify")
@click.argument("package_file", type=click.Path(exists=True, dir_okay=False, resolve_path=True))
def trust_verify(package_file: str) -> None:
    """Check whether a package's signing key is in the trusted store."""
    pkg_path = Path(package_file)
    with PSPFReader(pkg_path) as reader:
        index = reader.read_index()

    fp_bytes = index.attestation_key_fp.rstrip(b"\x00")
    if not fp_bytes:
        perr("Package has no key fingerprint in attestation field.")
        raise SystemExit(2)

    fp = fp_bytes.decode("ascii")
    result = is_key_trusted(fp)

    if result is None:
        pout(f"No trusted-keys store found. Key fingerprint: {fp[:16]}...")
        pout("Run `flavor init` to set up a key store.")
    elif result:
        pout(f"βœ“ Key {fp[:16]}... is trusted.")
    else:
        perr(f"βœ— Key {fp[:16]}... is NOT in the trusted store.")
        raise SystemExit(1)