A custom transport method for apt that verifies the reproducibility of a Debian package before its installation. Verification is performed with in-toto, using a supply chain definition (in-toto layout) and gathering the corresponding evidence (in-toto links) about the reproducibility of a package from public rebuilders.
The transport and its dependencies are available via
apt. Below command
installs the transport to
/usr/lib/apt/methods/intoto, as well as a default
config file and layout (see below).
sudo apt install apt-transport-in-toto
To define the requirement of reproducibility for a package, an in-toto layout must be available on the client at verification time and its path must be specified in the apt configuration file (see Options below).
A generic rebuild layout (
data/root.layout) is made
/etc/intoto/root.layout upon installation. It contains public
keys to verify the authenticity and integrity of rebuilder link metadata
generated by currently available rebuilders, and a threshold that specifies how many
authorized rebuilders need to agree on their result.
NOTE: Update the layout to add or revoke rebuilder authorizations. See discussion in #13 for further details.
For a successful verification the layout requires at least one valid signature. The signing key(s) are the root of trust and must be available in a gpg keyring on the client. The corresponding keyid(s) must be specified in the apt configuration file (see Options below).
Below options must be configured in
- Rebuilders -- URIs of remote rebuilders that serve in-toto link metadata for package rebuilds
- in-toto layout -- Path to supply chain definition
- Layout keyids -- Keyid(s) of in-toto layout signing key(s)
- GPGHomedir (optional) -- Path to a non-default gpg keyring
- LogLevel (optional) -- Transport verbosity level during installation (numeric value)
- NoFail (optional) -- If set to "true" installation continues after a verification failure, but only if the failure reason is missing link metadata. This option may be used for a slow roll-out. It should be disabled once there is broad network of rebuilders that provide extensive link metadata.
An exemplary configuration file can be found in
Enable the transport
Verification is enabled by specifying the transport method as protocol prefix
deb intoto://ftp.us.debian.org/debian/ stretch main contrib
The in-toto apt transport works transparently in the background when running:
apt-get install <package name>
The test suite can be run locally with
Testing with docker
In addition to the offline Python tests that mock
behavior, there is a docker setup that installs the apt transport in a minimal
Debian container and invokes it using
apt-get install <package name>,
fetching metadata from live rebuilders. Run the following snippet in the root
of this repo and look at the generated output.
docker build -t apt -f tests/Dockerfile . docker run -it apt