IN-TOTO
Supply chain provenance and attestations framework.
Definition
in-toto produces Layout files (steps, inspections), signed Link metadata (materials, products, byproducts, environment). Subjects identified by SHA-256 hash. Final inspections verify integrity. DSSE (Dead Simple Signing Envelope) signature. Specification v1.0 (2023).
Origin
Created by NYU Secure Systems Lab (Justin Cappos) in 2018.
Example in context
A CD pipeline emits in-toto link metadata for each step (build, test, sign, push).
Related terms
- SLSA levels — consumer framework.