Prove that what you ship is what your pipeline produced — cryptographically verify every step from source to artifact.

Welcome to in-toto: Securing the Software Supply Chain.

in-toto is a framework for securing the integrity of software supply chains: it cryptographically verifies that every step from source code to finished artifact was carried out by the right party, in the right order, on the right materials. This free book teaches it from the ground up: software-supply-chain threats and why endpoint signing isn't enough, the core concepts (layout, steps, functionaries, link metadata), the signatures, hashes, and root of trust behind it, defining a layout with artifact rules and thresholds, recording steps as attestations, verifying the chain, the in-toto Attestation Framework and its role under SLSA, Sigstore, and SBOMs, integrating into CI/CD and Kubernetes admission control, and adopting it incrementally. Ten focused chapters with clear diagrams that show how to make your supply chain verifiable and tamper-evident.

This title is part of the ShriIra library and is free to read in full, right here — our small contribution to making world-class knowledge easy to reach.

A note on reading it: open the Contents menu at the top of the reader to jump between chapters, use the Aa menu to set a comfortable text size, theme (light, sepia, or night), and single- or two-page layout. Your place is saved automatically, so you can always pick up where you left off.

We hope it serves you well.

— Shriira Press

Contents

1. Chapter 1 — What in-toto Is
2. Chapter 2 — Software Supply Chain Security
3. Chapter 3 — Core Concepts
4. Chapter 4 — Cryptography and Trust
5. Chapter 5 — Defining a Layout
6. Chapter 6 — Recording Steps
7. Chapter 7 — Verification
8. Chapter 8 — Attestations and the Ecosystem
9. Chapter 9 — in-toto in CI/CD and Kubernetes
10. Chapter 10 — Adoption, Practice, and Putting It Together