LinuxCommandLibrary

in-toto-record

creates supply chain attestations for build steps

TLDR

Start recording

$ in-toto-record start -n [step_name] -k [key.pem]
copy
Stop recording
$ in-toto-record stop -n [step_name] -k [key.pem] -p [products]
copy
Record with materials
$ in-toto-record start -n [step] -k [key] -m [src/]
copy
Specify products
$ in-toto-record stop -n [step] -k [key] -p [dist/]
copy

SYNOPSIS

in-toto-record command [options]

DESCRIPTION

in-toto-record creates supply chain attestations for build steps. It records materials before and products after a step, generating signed link metadata.
The tool supports split recording where start and stop are separate commands. This allows recording steps that span multiple commands or sessions.

PARAMETERS

start

Begin recording step.
stop
Finish recording step.
-n NAME
Step name.
-k KEY
Signing key file.
-m MATERIALS
Input materials paths.
-p PRODUCTS
Output products paths.
--help
Display help information.

CAVEATS

Requires signing key. Part of in-toto framework. Links must be verified.

HISTORY

in-toto-record is part of in-toto, a framework for supply chain integrity developed at NYU Secure Systems Lab.

SEE ALSO

in-toto-run(1), in-toto-sign(1), in-toto-verify(1)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community