View on GitHub


A framework to secure the integrity of software supply chains

Download this project as a .zip file Download this project as a tar.gz file

A software supply chain is the series of steps performed when writing, testing, packaging, and distributing software. A typical software supply chain is composed of multiple steps "chained" together that transform (e.g., compilation) or verify the state (e.g., linting) of the project in order to drive it to a final product.

Supply chain security is crucial to the overall security of a software product. An attacker who is able to control a step in the supply chain can alter the product for malicious intents that range from introducing backdoors in the source code to including vulnerable libraries in the final product. As a result, supply chain breaches are an impactful means for an attacker to affect multiple users at once.

Although many frameworks exist to ensure security in the "last mile" (e.g., software updaters), they may be providing integrity and authentication to a product that is already vulnerable; it is possible that, by the time the package makes it to a software update repository, it has already been compromised.

in-toto is designed to ensure the integrity of a software product from initiation to end-user installation. It does so by making it transparent to the user what steps were performed, by whom and in what order. As a result, with some guidance from the group creating the software, in-toto allows the user to verify if a step in the supply chain was intended to be performed, and if the step was performed by the right actor.

You can read more about in-toto's internals in our latest or stable specification.

Frequently Asked Questions

Where can I read more about in-toto?
You can read more about how in-toto works by taking a look at our specification

Where can I try in-toto?
We have an open-source reference implementation, which is still under heavy development. You can also try our demo application here


08/10/17 Lukas presented in-toto at Debian's Debconf 2017. You can watch the video of the talk here.
02/06/17 We presented a demo of in-toto at Dockercon 2017. You can watch the video here.
14/10/16 We presented a demo of in-toto in the Docker Distributed System Summit. You can watch the video here.
07/10/16 We are live! please check back soon for more updates.