Technology · Ebook
in-toto: Securing the Software Supply Chain
by Shriira Press
in-toto is a framework for securing the integrity of software supply chains: it cryptographically verifies that every step from source code to finished artifact was carried out by the right party, in the right order, on the right materials. This free book teaches it from the ground up: software-supply-chain threats and why endpoint signing isn't enough, the core concepts (layout, steps, functionaries, link metadata), the signatures, hashes, and root of trust behind it, defining a layout with artifact rules and thresholds, recording steps as attestations, verifying the chain, the in-toto Attestation Framework and its role under SLSA, Sigstore, and SBOMs, integrating into CI/CD and Kubernetes admission control, and adopting it incrementally. Ten focused chapters with clear diagrams that show how to make your supply chain verifiable and tamper-evident.
Contents
- 1Preface
- 2Chapter 1 — What in-toto Is
- 3Chapter 2 — Software Supply Chain Security
- 4Chapter 3 — Core Concepts
- 5Chapter 4 — Cryptography and Trust
- 6Chapter 5 — Defining a Layout
- 7Chapter 6 — Recording Steps
- 8Chapter 7 — Verification
- 9Chapter 8 — Attestations and the Ecosystem
- 10Chapter 9 — in-toto in CI/CD and Kubernetes
- 11Chapter 10 — Adoption, Practice, and Putting It Together