in-toto
Definition
in-toto is an open-source framework designed to secure the integrity of software supply chains by providing a mechanism to track and verify the steps involved in the software development and deployment process. It ensures that each step in the supply chain is performed as expected and by authorized parties, thereby preventing unauthorized modifications and ensuring the authenticity of the final product. By using cryptographic signatures and metadata, in-toto provides end-to-end security and transparency for software artifacts.
Secure Settings Example
steps:
- name: build
expected_command: ["make", "build"]
threshold: 1
pubkeys: ["<developer-key-id>"]
- name: test
expected_command: ["make", "test"]
threshold: 1
pubkeys: ["<qa-key-id>"]
layout:
keys:
developer-key-id:
keyid: "<developer-key-id>"
keyval:
public: "<developer-public-key>"
qa-key-id:
keyid: "<qa-key-id>"
keyval:
public: "<qa-public-key>"
steps:
- name: build
expected_materials:
- path: "src/*"
rule: "MATCH"
expected_products:
- path: "bin/*"
rule: "CREATE"
- name: test
expected_materials:
- path: "bin/*"
rule: "MATCH"
expected_products:
- path: "test-reports/*"
rule: "CREATE"
Insecure Settings Example
steps:
- name: build
expected_command: ["make", "build"]
threshold: 0 # No threshold set, allowing any number of unauthorized changes
pubkeys: [] # No public keys specified, allowing unauthorized access
- name: test
expected_command: ["make", "test"]
threshold: 0
pubkeys: []
layout:
keys: {} # No keys defined, disabling verification of signatures
steps:
- name: build
expected_materials: [] # No expected materials, allowing any input
expected_products: [] # No expected products, allowing any output
- name: test
expected_materials: []
expected_products: []