In-toto is an open-source framework that secures software supply chains by generating a cryptographically signed, verifiable record of every step in the development and delivery process. It binds each action—from code commit to build to deployment—to a specific identity and set of trusted materials, creating an unforgeable chain of custody that prevents tampering.
Glossary
In-toto

What is In-toto?
In-toto is a framework that cryptographically attests to the integrity of every step in a software supply chain, creating a verifiable, end-to-end record of who performed what action and what materials were used.
The framework operates by defining a supply chain layout that specifies the authorized functionaries, expected artifacts, and required steps. Each step produces a link metadata file containing cryptographic hashes of inputs and outputs, which are then verified against the layout. This allows auditors to detect dependency confusion, unauthorized modifications, or compromised build infrastructure by verifying the integrity of the entire pipeline.
Key Features of In-toto
In-toto secures the software supply chain by cryptographically linking every step—from development to deployment—into a verifiable, end-to-end attestation. Below are the core mechanisms that make this framework a cornerstone of AI supply chain security.
Supply Chain Layout Definition
The process begins with a layout, a signed policy document that defines the authorized sequence of steps, the functionaries trusted to perform them, and the expected materials and products. This establishes the expected state against which the actual supply chain execution is verified.
- Defines the functionaries (developers, CI/CD systems) via public keys
- Specifies inspection steps to verify artifact integrity
- Acts as the single source of truth for the entire pipeline
Link Metadata Generation
As each step in the pipeline executes, a link is generated—a cryptographically signed statement recording the materials consumed, the command run, and the products created. These links form the verifiable evidence of what actually occurred.
- Records materials (inputs like source code hashes) and products (outputs like container digests)
- Signed with the functionary's private key for non-repudiation
- Captures the environment, command, and return value for full auditability
End-to-End Verification
The in-toto verifier consumes the layout and all generated links, then walks the entire supply chain graph to cryptographically validate that every step was performed by an authorized functionary, using the correct materials, in the prescribed order.
- Validates signature thresholds for multi-party approval
- Checks artifact hashes to detect tampering or substitution
- Fails closed if any link is missing, unauthorized, or out of sequence
Integration with Sigstore and TUF
In-toto operates within a broader ecosystem of supply chain security tools. It integrates natively with Sigstore for keyless signing using OIDC identities and with The Update Framework (TUF) to secure the distribution of layouts and public keys.
- Cosign can generate in-toto attestations for container images
- Rekor transparency log provides an immutable record of signed links
- TUF protects the root of trust for the layout's public key distribution
Real-World Application: AI Model Provenance
For AI supply chains, in-toto can attest to the integrity of the entire model training pipeline. A layout can enforce that a specific dataset version was used, a verified training script executed, and the resulting model weights were produced without tampering.
- Links the dataset hash to the training code to the model artifact
- Prevents data poisoning by verifying the exact training materials
- Provides a verifiable model provenance record for compliance and audit
Frequently Asked Questions
Clear, technical answers to the most common questions about the in-toto framework, its cryptographic mechanisms, and its role in securing software supply chains against advanced persistent threats.
In-toto is a framework that cryptographically attests to the integrity of every step in a software supply chain, creating a verifiable, end-to-end record of who performed what action and what materials were used. It works by defining a supply chain layout—a policy document signed by a project owner that specifies the sequence of steps, the authorized functionaries for each step, and the artifact flow rules. As each step executes, a functionary generates a link metadata file, which is a signed statement containing the command run, the materials consumed, and the products generated. These links are verified against the layout to ensure no step was skipped, no unauthorized party acted, and no artifact was tampered with in transit. The result is a cryptographic provenance chain that can be audited by any client before deploying the final software artifact.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
In-toto operates within a broader landscape of frameworks and tools designed to secure the software supply chain. These related concepts form the foundational layers of cryptographic verification and policy enforcement.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us