LinuxCommandLibrary

in-toto-sign

Sign software artifacts using in-toto attestations

TLDR

Sign 'unsigned.layout' with two keys and write it to 'root.layout'

$ in-toto-sign [[-f|--file]] [unsigned.layout] [[-k|--keep]] [priv_key1] [priv_key2] [[-o|--output]] [root.layout]
copy

Replace signature in link file and write to default filename
$ in-toto-sign [[-f|--file]] [package.2f89b927.link] [[-k|--keep]] [priv_key]
copy

Verify a layout signed with 3 keys
$ in-toto-sign [[-f|--file]] [root.layout] [[-k|--keep]] [pub_key0] [pub_key1] [pub_key2] --verify
copy

Sign a layout with the default GPG key in default GPG keyring
$ in-toto-sign [[-f|--file]] [root.layout] [[-g|--gpg]]
copy

Verify a layout with a GPG key identified by keyid '...439F3C2'
$ in-toto-sign [[-f|--file]] [root.layout] --verify [[-g|--gpg]] [...439F3C2]
copy

SYNOPSIS

in-toto-sign [-h | --help] [--version] [--key KEY] [--key-type {rsa,ed25519}] [--hash-algorithm {sha256,sha384,sha512}] [--normalize] ARTIFACT

PARAMETERS

-h, --help
    Show help message and exit.

--version
    Show program's version number and exit.

--key KEY
    Path to PEM private key file for signing (or use IN_TOTO_SIGN_KEY env var).

--key-type {rsa,ed25519}
    Asymmetric key type for signing.

--hash-algorithm {sha256,sha384,sha512}
    Hash algorithm for signature computation (default: sha256).

--normalize
    Canonicalize layout fields before signing (default: false).

DESCRIPTION

in-toto-sign is a command-line tool from the in-toto project for cryptographically signing supply chain security metadata, including layouts, links, and statements. These artifacts attest to actions in software supply chains, and signatures ensure their authenticity and integrity against tampering.

The tool loads a private key (RSA or Ed25519), reads the JSON artifact file, optionally normalizes layouts, computes a signature over the canonicalized content using a specified hash algorithm (SHA256, SHA384, or SHA512), and appends the signature in the standard in-toto format. The original file is modified in place.

It supports key files in PEM format and can use the IN_TOTO_SIGN_KEY environment variable as a fallback. Signed artifacts are verifiable with tools like in-toto-verify, enabling trusted verification of supply chain steps from materials to deployment.

This utility is vital for supply chain participants (e.g., builders, testers) to produce verifiable attestations, aligning with SLSA and other frameworks for securing CI/CD pipelines.

CAVEATS

Modifies artifact file in place; backup recommended. Requires valid private key access. Only signs supported artifact types (layouts, links, statements).

EXAMPLES

in-toto-sign --key private.pem link.json
in-toto-sign --key-type ed25519 --hash-algorithm sha512 --normalize layout.json

KEY FORMATS

Supports unencrypted PEM keys. Ed25519 for efficiency, RSA for compatibility.

HISTORY

Part of the in-toto project, launched in 2017 by NYU, IBM, and Google researchers to secure software supply chains. Evolved with SLSA framework integration; current versions in python-in-toto package.

SEE ALSO

in-toto-run(1), in-toto-verify(1), in-toto-layout-to-json(1)

Copied to clipboard