/trdl

The universal solution for delivering your software updates securely from a trusted The Update Framework (TUF) repository.

Primary LanguageGoApache License 2.0Apache-2.0

trdl

maintainability coverage github discussions coc

trdl (stands for "true delivery") is an Open Source solution providing a secure channel for delivering updates from the Git repository to the end user.

The project team releases new versions of the software and switches them in the release channels. Git acts as the single source of truth while Vault is used as a tool to verify operations as well as populate and maintain the TUF repository. The user selects a release channel, continuously receives the latest software version from the TUF repository, and uses it.

Scheme

We have been successfully using trdl to continuously deliver our werf CI/CD tool to CI runners and user hosts.

Architecture

trdl combines two key components: the server and the client.

trdl-server:

  • builds and releases software versions;
  • publishes the release channels (here is an example configuration from werf);
  • ensures the release and the publication security via verifying the minimal number of valid GPG signatures associated with an action;
  • ensures the object storage security via saving data signed by keys (no one has access to those keys) and continuously rotating TUF keys and metadata.

trdl-client:

  • manages software repositories;
  • updates software version within the selected release channel;
  • provides easy operation with software version artifacts in the shell session;
  • ensures safe communication via working with the TUF repository in a reliable fashion.

How it works

Releasing

Release

Publishing the channels

Publication

Installation

trdl-client

Download trdl client binaries from the GitHub Releases page, optionally verifying the binary with the PGP signature.

Documentation

Project's website is now available with more information (including developers quickstart) to follow soon.

Community & support

Please feel free to reach developers/maintainers and users via GitHub Discussions for any questions regarding trdl.

Your issues are processed carefully if posted to issues at GitHub.

License

Apache License 2.0, see LICENSE.