Skip to content
in-toto transport for apt
Python Dockerfile
Branch: develop
Clone or download
lukpueh Merge pull request #24 from lukpueh/fix-newline-bug
Fix newline bug by escaping LF and CR in message
Latest commit 363a110 May 23, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.travis.yml Update travis config to use latest dist xenial Dec 21, 2018
tox.ini Modify tox script to run all tests Jan 3, 2019

apt-transport-in-toto Build Status Coverage Status

A custom transport method for apt that verifies the reproducibility of a Debian package before its installation. Verification is performed with in-toto, using a supply chain definition (in-toto layout) and gathering the corresponding evidence (in-toto links) about the reproducibility of a package from public rebuilders.


The transport method must be an executable in /usr/lib/apt/methods/ and its dependencies must be installed.

NOTE: This is a temporary solution until this transport is available as Debian package (see #11).

# Get sources
git clone
# Install requirements
pip install -r apt-transport-in-toto/requirements.txt
# Install transport
ln -s /usr/lib/apt/methods/intoto apt-transport-in-toto/
chmod 755 /usr/lib/apt/methods/intoto


NOTE: Once this transport is available as Debian package, default configuration and installation of required metadata may be performed automatically on installation of the package (see #11).


To define the requirement of reproducibility for a package, an in-toto layout must be available on the client at verification time and its path must be specified in the apt configuration file (see Options below).

A generic rebuild layout can be found in data/root.layout and may be used to verify any package. It contains public keys to verify the authenticity and integrity of rebuilder link metadata and a threshold that specifies how many authorized rebuilders need to agree on their result.

NOTE: Update the layout to add or revoke rebuilder authorizations. See discussion in #13 for further details.

Layout keys

For a successful verification the layout requires at least one valid signature. The signing key(s) are the root of trust and must be available in a gpg keyring on the client. The corresponding keyid(s) must be specified in the apt configuration file (see Options below).

NOTE: Downstream maintainers should manually verify the validity of data/root.layout and sign it with their maintainer key. See discussion in #13 for further details.


Below options must be configured in /etc/apt/apt.conf.d/intoto.

  • Rebuilders -- URIs of remote rebuilders that serve in-toto link metadata for package rebuilds
  • in-toto layout -- Path to supply chain definition
  • Layout keyids -- Keyid(s) of in-toto layout signing key(s)
  • GPGHomedir (optional) -- Path to a non-default gpg keyring
  • LogLevel (optional) -- Transport verbosity level during installation (numeric value)
  • NoFail (optional) -- If set to "true" installation continues after a verification failure, but only if the failure reason is missing link metadata. This option may be used for a slow roll-out. It should be disabled once there is broad network of rebuilders that provide extensive link metadata.

An exemplary configuration file can be found in apt.conf.d/intoto.

Enable the transport

Verification is enabled by specifying the transport method as protocol prefix "intoto" in /etc/apt/sources.list or /etc/apt/sources.list.d/*, e.g.:

deb intoto:// stretch main contrib


The in-toto apt transport works transparently in the background when running:

apt-get install <package name>


The test suite can be run locally with tox.

Testing with docker

In addition to the offline Python tests that mock apt and rebuilder behavior, there is a docker setup that installs the apt transport in a minimal Debian container and invokes it using apt-get install <package name>, fetching metadata from live rebuilders. Run the following snippet in the root of this repo and look at the generated output.

docker build -t apt -f tests/Dockerfile .
docker run -it apt
You can’t perform that action at this time.