in-toto-sign

Sign in-toto link or layout metadata or verify their signatures.

TLDR

Sign 'unsigned.layout' with two keys and write it to 'root.layout'

$ in-toto-sign -f [unsigned.layout] -k [priv_key1] [priv_key2] -o [root.layout]
copy


Replace signature in link file and write to default filename
$ in-toto-sign -f [package.2f89b927.link] -k [priv_key]
copy


Verify a layout signed with 3 keys
$ in-toto-sign -f [root.layout] -k [pub_key0] [pub_key1] [pub_key2] --verify
copy


Sign a layout with the default GPG key in default GPG keyring
$ in-toto-sign -f [root.layout] --gpg
copy


Verify a layout with a GPG key identified by keyid '...439F3C2'
$ in-toto-sign -f [root.layout] --verify --gpg [...439F3C2]
copy

Copied to clipboard