An in-toto attestation is a verifiable statement of fact about a software artifact's provenance, bound to a specific step in the supply chain. It moves beyond simple hashing by authenticating the predicate (the what) and the subject (the which), using the DSSE (Dead Simple Signing Envelope) wrapper to bind a standardized JSON payload to a digital signature.
Glossary
In-Toto Attestation

What is In-Toto Attestation?
In-toto attestation is a cryptographically signed metadata document that provides non-repudiable evidence of the steps, materials, and environmental context involved in a software supply chain operation.
This specification, governed by the in-toto attestation framework, enables automated policy evaluation by separating the signing identity from the build logic. An attestation typically contains a Statement layer linking a subject to a Predicate, such as an SLSA provenance predicate detailing builder IDs and source repositories, allowing downstream consumers to cryptographically verify that a binary was produced by a trusted Trusted Execution Environment (TEE) without manual inspection.
Key Features of In-Toto Attestations
In-toto attestations provide non-repudiable, verifiable metadata about every step in a software supply chain. These key features define how the framework establishes trust.
Standardized Predicate Types
Attestations follow a structured JSON schema with a defined subject (the artifact) and a predicate (the metadata claim). Common predicate types include:
- SLSA Provenance v1.0: Describes how an artifact was built, including builder ID, source repos, and build commands.
- SPDX: A Software Bill of Materials detailing all components and licenses.
- Vulnerability Scan: Results from container image scanning tools.
- Test Results: Pass/fail status of a test suite run against the artifact. This standardization allows policy engines to parse and validate claims automatically.
Verifiable Supply Chain Layouts
A layout is a cryptographically signed policy document that defines the required steps and functionaries for a software supply chain. It specifies:
- Steps: The actions that must be performed (e.g., 'clone-repo', 'run-tests', 'build-container').
- Functionaries: The public keys of identities authorized to perform each step.
- Thresholds: The minimum number of authorized signatures required for a step to be valid.
- Inspections: Commands run by the verifier to independently audit the final product. The layout acts as the root of trust, and its signature chain must remain unbroken for verification to succeed.
Link Metadata for Non-Repudiation
A link is the fundamental unit of evidence in in-toto. Each link captures:
- Materials: The cryptographic hashes (SHA256) of all input files and artifacts before a step executes.
- Products: The cryptographic hashes of all output files and artifacts after a step executes.
- Byproducts: Standard output, standard error, and return codes from the command.
- Environment: Information about the host system, including environment variables.
- Command: The exact command string that was executed. Each link is signed with the functionary's private key, creating a non-repudiable chain of custody from source code to final artifact.
Offline Verification Model
In-toto decouples attestation generation from attestation verification, enabling offline validation. The verification process:
- Requires only the final product, the signed layout, and the collection of signed link files.
- Walks the directed acyclic graph defined in the layout, matching materials to products across steps.
- Cryptographically verifies every signature against the authorized functionary keys.
- Fails closed if any link is missing, signed by an unauthorized key, or if material hashes do not match the previous step's product hashes. This model allows any consumer to independently verify the integrity of an artifact without trusting the build system.
Integration with Sigstore for Keyless Signing
Modern in-toto implementations integrate with Sigstore to eliminate long-lived private key management. This works by:
- Using OpenID Connect (OIDC) tokens from CI/CD platforms (GitHub Actions, GitLab CI) to authenticate the builder's identity.
- Requesting a short-lived ephemeral X.509 certificate from the Fulcio certificate authority, binding the OIDC identity to a public key.
- Recording the signing event in the Rekor transparency log, providing a public, append-only audit trail.
- Signing the in-toto link or attestation with the ephemeral key, which is immediately discarded. This approach provides strong identity binding without the operational burden of securing static signing keys.
Policy Enforcement with Binary Authorization
In-toto attestations serve as the decision-making input for deploy-time policy engines. The enforcement flow:
- A Binary Authorization system intercepts a deployment request for a container image.
- It queries the image's digest and retrieves all associated attestations from a metadata store.
- An Open Policy Agent (OPA) or similar engine evaluates the attestations against a Rego policy.
- Example policy: 'Require a SLSA Provenance attestation signed by a trusted builder with a source repository from the
my-orgGitHub organization.' - If the policy evaluates to
false, the deployment is blocked, preventing unverified artifacts from reaching production.
Frequently Asked Questions
Clear, technical answers to the most common questions about the in-toto framework, its cryptographic mechanisms, and its role in securing software supply chains.
An in-toto attestation is a cryptographically signed, authenticated statement about a specific step or material in a software supply chain, providing verifiable metadata about how an artifact was produced. It works by binding a subject (the artifact, identified by a cryptographic hash) to a predicate (a JSON object describing the build process, materials, or scanner results) via a signature envelope (typically DSSE). This creates a non-repudiable, tamper-evident record that a verifier can check against a layout policy—a document defining the expected steps, functionaries, and material flow. Unlike simple signature checks, in-toto attestations capture the full provenance chain, allowing a consumer to verify not just who signed an artifact, but how it was built, what source code was used, and which tools were involved, all the way back to the initial commit.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
In-toto attestation is part of a broader ecosystem of tools and frameworks designed to secure the software supply chain. These related concepts provide the foundational layers for cryptographic verification, policy enforcement, and artifact integrity.
Binary Authorization
A deploy-time security control that enforces cryptographic signature validation before allowing container images to run in production. Binary Authorization policies can be configured to require valid in-toto attestations proving the image passed specific CI/CD steps—such as vulnerability scanning or code review—before admitting it into the runtime environment. This creates a continuous chain of verification from source to execution.
Provenance Metadata
Verifiable information about the origin, build steps, and source materials that produced a specific software artifact. In-toto provenance attestations follow the SLSA provenance v1.0 schema, capturing details such as:
- Builder identity and environment
- Source repository and commit hash
- Build invocation parameters
- All input artifacts and dependencies This allows downstream consumers to assess trustworthiness based on objective, cryptographically verified evidence.
Reproducible Builds
A development practice where compiling identical source code in an identical environment always produces a bit-for-bit identical output. When combined with in-toto attestations, reproducible builds enable independent verifiers to rebuild an artifact and compare the resulting hash against the attested digest. This provides the strongest possible guarantee that no tampering occurred during the build process, as any discrepancy is immediately detectable.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us