Skip to content


Repository files navigation

apt-transport-in-toto Build Status Coverage Status

A custom transport method for apt that verifies the reproducibility of a Debian package before its installation. Verification is performed with in-toto, using a supply chain definition (in-toto layout) and gathering the corresponding evidence (in-toto links) about the reproducibility of a package from public rebuilders.


The transport and its dependencies are available via apt. Below command installs the transport to /usr/lib/apt/methods/intoto, as well as a default config file and layout (see below).

sudo apt install apt-transport-in-toto


To define the requirement of reproducibility for a package, an in-toto layout must be available on the client at verification time and its path must be specified in the apt configuration file (see Options below).

A generic rebuild layout (data/root.layout) is made available in /etc/intoto/root.layout upon installation. It contains public keys to verify the authenticity and integrity of rebuilder link metadata generated by currently available rebuilders, and a threshold that specifies how many authorized rebuilders need to agree on their result.

NOTE: Update the layout to add or revoke rebuilder authorizations. See discussion in #13 for further details.

Layout keys

For a successful verification the layout requires at least one valid signature. The signing key(s) are the root of trust and must be available in a gpg keyring on the client. The corresponding keyid(s) must be specified in the apt configuration file (see Options below).

NOTE: Downstream maintainers should manually verify the validity of data/root.layout and sign it with their maintainer key. See discussion in #13 for further details.


Below options must be configured in /etc/apt/apt.conf.d/intoto.

  • Rebuilders -- URIs of remote rebuilders that serve in-toto link metadata for package rebuilds
  • in-toto layout -- Path to supply chain definition
  • Layout keyids -- Keyid(s) of in-toto layout signing key(s)
  • GPGHomedir (optional) -- Path to a non-default gpg keyring
  • LogLevel (optional) -- Transport verbosity level during installation (numeric value)
  • NoFail (optional) -- If set to "true" installation continues after a verification failure, but only if the failure reason is missing link metadata. This option may be used for a slow roll-out. It should be disabled once there is broad network of rebuilders that provide extensive link metadata.

An exemplary configuration file can be found in apt.conf.d/intoto.

Enable the transport

Verification is enabled by specifying the transport method as protocol prefix "intoto" in /etc/apt/sources.list or /etc/apt/sources.list.d/*, e.g.:

deb intoto:// stretch main contrib


The in-toto apt transport works transparently in the background when running:

apt-get install <package name>


The test suite can be run locally with tox.

Testing with docker

In addition to the offline Python tests that mock apt and rebuilder behavior, there is a docker setup that installs the apt transport in a minimal Debian container and invokes it using apt-get install <package name>, fetching metadata from live rebuilders. Run the following snippet in the root of this repo and look at the generated output.

docker build -t apt -f tests/Dockerfile .
docker run -it apt