in-toto is a framework that cryptographically attests to the integrity of each step in a software supply chain by collecting signed metadata from project functionaries, enabling end-to-end verification of the final product. It defines a standard layout specifying who is authorized to perform each step and what materials they consume, creating a verifiable chain of custody from source code to deployment.
Glossary
in-toto

What is in-toto?
in-toto is a framework that cryptographically attests to the integrity of each step in a software supply chain by collecting signed metadata from project functionaries, enabling end-to-end verification of the final product.
Each functionary in the pipeline—such as a developer, CI/CD system, or package maintainer—generates a signed link metadata file recording inputs, outputs, and the command executed. A final verification process checks all links against the project's layout, ensuring no step was skipped, tampered with, or performed by an unauthorized party, thus establishing non-repudiation across the entire software lifecycle.
Key Features of in-toto
in-toto cryptographically attests to the integrity of each step in a software supply chain, enabling end-to-end verification from source code to final artifact.
Layout-Driven Verification
The layout is a signed policy document that defines the required steps, functionaries, and artifact rules for a supply chain. It specifies:
- Steps: Individual actions like cloning a repo, running tests, or building a binary
- Inspections: Independent verification steps run by the verifier
- Thresholds: Minimum number of functionaries required to authorize a step
The layout acts as a blueprint, and the final verification checks that all recorded link metadata conforms to this policy.
Link Metadata
A link is a cryptographically signed statement that records the materials, products, and environment of a single supply chain step. Each link captures:
- Materials: The artifacts consumed (e.g., source files, dependencies)
- Products: The artifacts produced (e.g., compiled binaries, container images)
- Byproducts: Stdout, stderr, and return values
- Environment: Hostname, command, and other contextual data
Links are generated by functionaries—the entities authorized to perform steps—and are verified against the layout during final product verification.
End-to-End Verification
The in-toto verification workflow cryptographically validates the entire supply chain:
- The verifier fetches the signed layout and all link metadata
- Each link's signature is validated against the functionary's public key
- Artifact hashes in materials and products are cross-checked across steps
- The verifier confirms the chain matches the layout's rules
This ensures that if any step is compromised or skipped, the final verification fails. The process provides non-repudiation—a functionary cannot deny performing a step.
Integration with ITE-6 Attestations
in-toto has evolved beyond its original link format to support in-toto attestations, standardized in ITE-6. These attestations use a JSON-based schema with:
- A subject identifying the artifact being described
- A predicate containing the claim (e.g., SLSA provenance, vulnerability scan results)
- A predicate type URI for schema discovery
This aligns in-toto with the broader Sigstore and SLSA ecosystems, enabling keyless signing via Fulcio and transparency logging via Rekor.
Supply Chain Layout Example
A typical in-toto layout for a container build pipeline might define:
- Step: clone — Functionary: CI system, Expected product: source code hash
- Step: build — Functionary: Build server, Expected materials: source code hash, Expected product: binary hash
- Step: package — Functionary: Packaging tool, Expected materials: binary hash, Expected product: container image digest
- Inspection: lint — Run by verifier, checks code quality independently
Each step produces a signed link, and the final verification confirms the artifact digests chain correctly from clone to container.
Protection Against Supply Chain Attacks
in-toto defends against specific threat vectors:
- Compromised build server: An attacker modifying binaries is detected because the product hash won't match the expected value in the layout
- Insider threat: A malicious functionary cannot repudiate their actions; their signature is cryptographically bound to the link
- Dependency confusion: Materials hashes capture exact dependency versions, preventing substitution attacks
- Skipped steps: The layout enforces that all required steps exist and are signed by authorized functionaries
Frequently Asked Questions
Clear, technical answers to the most common questions about the in-toto framework, its cryptographic mechanisms, and its role in securing software and AI supply chains.
in-toto is an open-source framework that cryptographically attests to the integrity of each step in a software supply chain. It works by defining a layout—a signed policy document that specifies which functionaries (developers, builders, testers) are authorized to perform each step, and what materials and products each step consumes and produces. Each functionary generates a link metadata file containing cryptographic hashes of all inputs and outputs, signed with their private key. At verification time, an in-toto verifier checks that all links match the layout, that the artifact hashes chain together correctly across steps, and that no unauthorized modifications occurred. This provides end-to-end verifiability from source code to final artifact, ensuring that if a step is compromised, the tampering is cryptographically detectable.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core frameworks, tools, and concepts that form the foundation of cryptographically verifiable software and AI supply chains alongside in-toto.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us