in-toto-sign

Sign in-toto link or layout metadata or verify their signatures.

TLDR

Sign 'unsigned.layout' with two keys and write it to 'root.layout'

$ in-toto-sign -f [unsigned.layout] -k [priv_key1] [priv_key2] -o [root.layout]
copy

Replace signature in link file and write to default filename

$ in-toto-sign -f [package.2f89b927.link] -k [priv_key]
copy

Verify a layout signed with 3 keys

$ in-toto-sign -f [root.layout] -k [pub_key0] [pub_key1] [pub_key2] --verify
copy

Sign a layout with the default GPG key in default GPG keyring

$ in-toto-sign -f [root.layout] --gpg
copy

Verify a layout with a GPG key identified by keyid '...439F3C2'

$ in-toto-sign -f [root.layout] --verify --gpg [...439F3C2]
copy

Copied to clipboard
chromebooks