Inferensys

Glossary

in-toto

A framework that cryptographically attests to the integrity of each step in a software supply chain by collecting signed metadata from project functionaries, enabling end-to-end verification of the final product.
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.
SUPPLY CHAIN INTEGRITY FRAMEWORK

What is in-toto?

in-toto is a framework that cryptographically attests to the integrity of each step in a software supply chain by collecting signed metadata from project functionaries, enabling end-to-end verification of the final product.

in-toto is a framework that cryptographically attests to the integrity of each step in a software supply chain by collecting signed metadata from project functionaries, enabling end-to-end verification of the final product. It defines a standard layout specifying who is authorized to perform each step and what materials they consume, creating a verifiable chain of custody from source code to deployment.

Each functionary in the pipeline—such as a developer, CI/CD system, or package maintainer—generates a signed link metadata file recording inputs, outputs, and the command executed. A final verification process checks all links against the project's layout, ensuring no step was skipped, tampered with, or performed by an unauthorized party, thus establishing non-repudiation across the entire software lifecycle.

SUPPLY CHAIN INTEGRITY

Key Features of in-toto

in-toto cryptographically attests to the integrity of each step in a software supply chain, enabling end-to-end verification from source code to final artifact.

01

Layout-Driven Verification

The layout is a signed policy document that defines the required steps, functionaries, and artifact rules for a supply chain. It specifies:

  • Steps: Individual actions like cloning a repo, running tests, or building a binary
  • Inspections: Independent verification steps run by the verifier
  • Thresholds: Minimum number of functionaries required to authorize a step

The layout acts as a blueprint, and the final verification checks that all recorded link metadata conforms to this policy.

02

Link Metadata

A link is a cryptographically signed statement that records the materials, products, and environment of a single supply chain step. Each link captures:

  • Materials: The artifacts consumed (e.g., source files, dependencies)
  • Products: The artifacts produced (e.g., compiled binaries, container images)
  • Byproducts: Stdout, stderr, and return values
  • Environment: Hostname, command, and other contextual data

Links are generated by functionaries—the entities authorized to perform steps—and are verified against the layout during final product verification.

03

End-to-End Verification

The in-toto verification workflow cryptographically validates the entire supply chain:

  1. The verifier fetches the signed layout and all link metadata
  2. Each link's signature is validated against the functionary's public key
  3. Artifact hashes in materials and products are cross-checked across steps
  4. The verifier confirms the chain matches the layout's rules

This ensures that if any step is compromised or skipped, the final verification fails. The process provides non-repudiation—a functionary cannot deny performing a step.

04

Integration with ITE-6 Attestations

in-toto has evolved beyond its original link format to support in-toto attestations, standardized in ITE-6. These attestations use a JSON-based schema with:

  • A subject identifying the artifact being described
  • A predicate containing the claim (e.g., SLSA provenance, vulnerability scan results)
  • A predicate type URI for schema discovery

This aligns in-toto with the broader Sigstore and SLSA ecosystems, enabling keyless signing via Fulcio and transparency logging via Rekor.

05

Supply Chain Layout Example

A typical in-toto layout for a container build pipeline might define:

  • Step: clone — Functionary: CI system, Expected product: source code hash
  • Step: build — Functionary: Build server, Expected materials: source code hash, Expected product: binary hash
  • Step: package — Functionary: Packaging tool, Expected materials: binary hash, Expected product: container image digest
  • Inspection: lint — Run by verifier, checks code quality independently

Each step produces a signed link, and the final verification confirms the artifact digests chain correctly from clone to container.

06

Protection Against Supply Chain Attacks

in-toto defends against specific threat vectors:

  • Compromised build server: An attacker modifying binaries is detected because the product hash won't match the expected value in the layout
  • Insider threat: A malicious functionary cannot repudiate their actions; their signature is cryptographically bound to the link
  • Dependency confusion: Materials hashes capture exact dependency versions, preventing substitution attacks
  • Skipped steps: The layout enforces that all required steps exist and are signed by authorized functionaries
IN-TOTO ATTESTATION FRAMEWORK

Frequently Asked Questions

Clear, technical answers to the most common questions about the in-toto framework, its cryptographic mechanisms, and its role in securing software and AI supply chains.

in-toto is an open-source framework that cryptographically attests to the integrity of each step in a software supply chain. It works by defining a layout—a signed policy document that specifies which functionaries (developers, builders, testers) are authorized to perform each step, and what materials and products each step consumes and produces. Each functionary generates a link metadata file containing cryptographic hashes of all inputs and outputs, signed with their private key. At verification time, an in-toto verifier checks that all links match the layout, that the artifact hashes chain together correctly across steps, and that no unauthorized modifications occurred. This provides end-to-end verifiability from source code to final artifact, ensuring that if a step is compromised, the tampering is cryptographically detectable.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.