LinuxCommandLibrary

in-toto-record

Record file hashes and create in-toto metadata

TLDR

Start the record (creates a preliminary link file)

$ in-toto-record start [[-n|--step-name]] [path/to/edit_file1 path/to/edit_file2 ...] -k [path/to/key_file] [[-m|--materials]] [.]
copy

Stop the record (expects a preliminary link file)
$ in-toto-record stop [[-n|--step-name]] [path/to/edit_file1 path/to/edit_file2 ...] -k [path/to/key_file] [[-p|--products]] [.]
copy

SYNOPSIS

in-toto-record [OPTIONS]
in-toto-record create ...
in-toto-record end

PARAMETERS

--version
    Show program's version number and exit.

-v, --verbose
    Increase verbosity.

-q, --quiet
    Decrease verbosity.

--signer-key
    Specify the path to the key used for signing the link metadata.

--link-metadata-out
    Specify the directory where the link metadata should be written.

create
    Create a link metadata file with the specified name.

end
    Finalize the link metadata file after a process has completed.


    Name of link metadata file to be created


    File patterns for files to be added to the link metadata

DESCRIPTION

The `in-toto-record` command is part of the in-toto framework, a supply chain security framework that provides end-to-end integrity for software artifacts. `in-toto-record` is used to generate and verify metadata files that capture the steps of the software supply chain. It's designed to be incorporated into automated build processes to generate tamper-proof provenance data, linking artifacts to the steps that created them. This tool helps in creating a verifiable chain of custody for software, from development to deployment. Metadata created by `in-toto-record` details the input and output artifacts of specific tasks and their relation to the activities involved in that task. The in-toto metadata format uses JSON with signed messages, and supports multiple signing keys to ensure redundancy and security. By recording metadata throughout the supply chain and verifying its integrity, organizations can increase trust and assurance in their software.

WORKFLOW

The typical workflow involves using `in-toto-record create` to start recording data about a step in the supply chain. Files used as input and output are listed by their path, and then `in-toto-record end` is called to finish recording the metadata.

SECURITY CONSIDERATIONS

The security of `in-toto-record` relies on the secure management of signing keys. It is crucial to protect the private key used for signing the metadata to prevent tampering.

The tool is useless if it's compromised.

HISTORY

The `in-toto-record` command is part of the in-toto framework, which was developed as a research project to address supply chain security challenges. It gained traction as a solution to provide verifiable provenance data for software builds, aiming to mitigate threats such as supply chain attacks. The tool's evolution is closely tied to the development and adoption of the in-toto specification. It aims to provide cryptographically verifiable guarantees about the steps of a software supply chain.

SEE ALSO

in-toto-run(1), in-toto-verify(1)

Copied to clipboard