A framework to secure the integrity of software supply chains


We are actively working with repeatr to create a cross-compatible metadata format that can be both used for supply-chain step memoization and supply-chain security.
We are participating with the reproducible builds community to improve the security properties of build systems. We are also integrating in-toto into reprotest, so that people can create in-toto metadta to attest for the reproducibility of a step.
We are working with the git community to improve the security model of git metadata signing. We have already integrated three series of patches to ensure GPG-signed git tags can't be spoofed.
We are actively working with the debian community so that in-toto metadata is generated within Debian's software supply chain. In addition, we intend to have in-toto metadata be verified when using Debian's dpkg/apt toolchain.
The Arch Linux community already included our patches git tag verification. We aim to have an integration similar to Debian's in the future.
Docker is currently trying out in-toto metadata internally to protect the security properties of their pipelines.
We have a demo deployment of opensuse's OBS using in-toto. We are working with the opensuse community to generate in-toto link metadata within their OBS services.