A framework to secure the integrity of software supply chains


10/19/18 Colin Domoney gave a talk on this year's DevSecCon London. He covered some of the fundamentals of in-toto to protect your cloud native deployment, as well as some other good supply-chain security practices.
05/29/18 Pacman 5.1 has been released!. This new version adds support for reproducible builds, and includes a security check for tampered git tag metadata.
05/17/18 A LWN article has been published, covering various supply chain security issues and their solutions, including grafeas, the update framework, and in-toto.
05/02/18 We presented in-toto along with Grafeas in Kubecon 2018.
04/12/18 Grafeas mentioned the in-toto integration plans on today's Google Cloud platform blog.
03/03/18 Our le-git-imate paper on improving the security of web-based Git repositories has been accepted at ASIACCS 2018!
02/20/18 We will present an integration of in-toto and Grafeas at KubeCon + CloudNativeCon Europe 2018 on May 2 in Copenhagen, Denmark.
10/17/17 A fix to our git tag metadata tampering attack paper [USENIX'16] has been included in the master branch of the pacman package manager and will be included in the next release.
08/10/17 Lukas presented in-toto at Debian's Debconf 2017. You can watch the video of the talk here.
02/06/17 We presented a demo of in-toto at Dockercon 2017. You can watch the video here.
01/17/17 A fix to our git tag metadata tampering vulnerability was merged into git's master branch and will be available starting from git v2.12. You can read more about it in our [USENIX'16] paper.
10/14/16 We presented a demo of in-toto in the Docker Distributed System Summit. You can watch the video here.
10/07/16 We are live! please check back soon for more updates.