in-toto-record

creates supply chain attestations for build steps

TLDR

Start recording

$ in-toto-record start -n [step_name] -k [key.pem]

Stop recording

$ in-toto-record stop -n [step_name] -k [key.pem] -p [products]

Record with materials

$ in-toto-record start -n [step] -k [key] -m [src/]

Specify products

$ in-toto-record stop -n [step] -k [key] -p [dist/]

SYNOPSIS

in-toto-record command [options]

in-toto-record creates supply chain attestations for build steps. It records materials before and products after a step, generating signed link metadata.The tool supports split recording where start and stop are separate commands. This allows recording steps that span multiple commands or sessions.

PARAMETERS

start

Begin recording step.

stop

Finish recording step.

-n NAME

Step name (used to associate link with layout step).

-k KEY, --signing-key KEY

Path to signing key file.

-g ID, --gpg ID

GPG keyid used to sign the resulting link metadata.

--gpg-home PATH

Path to GPG home directory.

-m MATERIALS

Input materials paths (used with start).

-p PRODUCTS

Output products paths (used with stop).

-d DIR

Directory to store resulting link metadata (used with stop).

--exclude PATTERN

Path patterns to exclude from recording.

--base-path PATH

Base path for relative material/product paths.

--lstrip-paths PREFIX

Left-strip path prefix before storing in link metadata.

--use-dsse

Use DSSE envelope format for signing.

-v

Verbose output.

-q

Quiet mode.

CAVEATS

Requires signing key. Part of in-toto framework. Links must be verified.

HISTORY

in-toto-record is part of in-toto, a framework for supply chain integrity developed at NYU Secure Systems Lab.