Inferensys

Glossary

In-Toto Attestation

A metadata specification that cryptographically verifies the steps and materials used in a software supply chain, providing non-repudiable evidence of the build process integrity.
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.

What is In-Toto Attestation?

In-toto attestation is a cryptographically signed metadata document that provides non-repudiable evidence of the steps, materials, and environmental context involved in a software supply chain operation.

An in-toto attestation is a verifiable statement of fact about a software artifact's provenance, bound to a specific step in the supply chain. It moves beyond simple hashing by authenticating the predicate (the what) and the subject (the which), using the DSSE (Dead Simple Signing Envelope) wrapper to bind a standardized JSON payload to a digital signature.

This specification, governed by the in-toto attestation framework, enables automated policy evaluation by separating the signing identity from the build logic. An attestation typically contains a Statement layer linking a subject to a Predicate, such as an SLSA provenance predicate detailing builder IDs and source repositories, allowing downstream consumers to cryptographically verify that a binary was produced by a trusted Trusted Execution Environment (TEE) without manual inspection.

CRYPTOGRAPHIC INTEGRITY

Key Features of In-Toto Attestations

In-toto attestations provide non-repudiable, verifiable metadata about every step in a software supply chain. These key features define how the framework establishes trust.

01

Standardized Predicate Types

Attestations follow a structured JSON schema with a defined subject (the artifact) and a predicate (the metadata claim). Common predicate types include:

  • SLSA Provenance v1.0: Describes how an artifact was built, including builder ID, source repos, and build commands.
  • SPDX: A Software Bill of Materials detailing all components and licenses.
  • Vulnerability Scan: Results from container image scanning tools.
  • Test Results: Pass/fail status of a test suite run against the artifact. This standardization allows policy engines to parse and validate claims automatically.
02

Verifiable Supply Chain Layouts

A layout is a cryptographically signed policy document that defines the required steps and functionaries for a software supply chain. It specifies:

  • Steps: The actions that must be performed (e.g., 'clone-repo', 'run-tests', 'build-container').
  • Functionaries: The public keys of identities authorized to perform each step.
  • Thresholds: The minimum number of authorized signatures required for a step to be valid.
  • Inspections: Commands run by the verifier to independently audit the final product. The layout acts as the root of trust, and its signature chain must remain unbroken for verification to succeed.
03

Link Metadata for Non-Repudiation

A link is the fundamental unit of evidence in in-toto. Each link captures:

  • Materials: The cryptographic hashes (SHA256) of all input files and artifacts before a step executes.
  • Products: The cryptographic hashes of all output files and artifacts after a step executes.
  • Byproducts: Standard output, standard error, and return codes from the command.
  • Environment: Information about the host system, including environment variables.
  • Command: The exact command string that was executed. Each link is signed with the functionary's private key, creating a non-repudiable chain of custody from source code to final artifact.
04

Offline Verification Model

In-toto decouples attestation generation from attestation verification, enabling offline validation. The verification process:

  • Requires only the final product, the signed layout, and the collection of signed link files.
  • Walks the directed acyclic graph defined in the layout, matching materials to products across steps.
  • Cryptographically verifies every signature against the authorized functionary keys.
  • Fails closed if any link is missing, signed by an unauthorized key, or if material hashes do not match the previous step's product hashes. This model allows any consumer to independently verify the integrity of an artifact without trusting the build system.
05

Integration with Sigstore for Keyless Signing

Modern in-toto implementations integrate with Sigstore to eliminate long-lived private key management. This works by:

  • Using OpenID Connect (OIDC) tokens from CI/CD platforms (GitHub Actions, GitLab CI) to authenticate the builder's identity.
  • Requesting a short-lived ephemeral X.509 certificate from the Fulcio certificate authority, binding the OIDC identity to a public key.
  • Recording the signing event in the Rekor transparency log, providing a public, append-only audit trail.
  • Signing the in-toto link or attestation with the ephemeral key, which is immediately discarded. This approach provides strong identity binding without the operational burden of securing static signing keys.
06

Policy Enforcement with Binary Authorization

In-toto attestations serve as the decision-making input for deploy-time policy engines. The enforcement flow:

  • A Binary Authorization system intercepts a deployment request for a container image.
  • It queries the image's digest and retrieves all associated attestations from a metadata store.
  • An Open Policy Agent (OPA) or similar engine evaluates the attestations against a Rego policy.
  • Example policy: 'Require a SLSA Provenance attestation signed by a trusted builder with a source repository from the my-org GitHub organization.'
  • If the policy evaluates to false, the deployment is blocked, preventing unverified artifacts from reaching production.
IN-TOTO ATTESTATION

Frequently Asked Questions

Clear, technical answers to the most common questions about the in-toto framework, its cryptographic mechanisms, and its role in securing software supply chains.

An in-toto attestation is a cryptographically signed, authenticated statement about a specific step or material in a software supply chain, providing verifiable metadata about how an artifact was produced. It works by binding a subject (the artifact, identified by a cryptographic hash) to a predicate (a JSON object describing the build process, materials, or scanner results) via a signature envelope (typically DSSE). This creates a non-repudiable, tamper-evident record that a verifier can check against a layout policy—a document defining the expected steps, functionaries, and material flow. Unlike simple signature checks, in-toto attestations capture the full provenance chain, allowing a consumer to verify not just who signed an artifact, but how it was built, what source code was used, and which tools were involved, all the way back to the initial commit.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.