in-toto provides a framework to protect the integrity of the software supply chain. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.
Primarily, in-toto is a specification. This specification has been implemented in multiple languages. The specification can be extended or changed by proposing in-toto Enhancements. Several have been proposed and accepted and the full ITE process is documented as ITE-1.
Newcomers to the in-toto project are encouraged to familiarize themselves with the specification and to see it in action with the in-toto demo.
The in-toto attestation framework is a stand-alone specification that defines the attestation format. An in-toto attestation is a piece of authenticated metadata that captures information about a set of software artifacts. The attestation framework was introduced in ITE-6.
The in-toto maintainers oversee the development of four implementations of the specification. They are in varying states of conformance with the in-toto specification and the attestation framework.
This implementation was the first one and has reached the v1.0 milestone. As such, it makes stability guarantees and is actively used in production by some in-toto adopters.
Links:
This implementation is used for various cloud native integrations. It sees very active development as it's the testbed for experimental features and changes introduced as ITEs.
Links:
The Java implementation was originally written to support integrations with the Jenkins CI/CD system. It implements some of the in-toto specification and also includes support for some attestation types.
Links:
in-toto-rs implements the in-toto specification in Rust. It is used in integrations with the Reproducible Builds project such as with rebuilderd.
Links:
in-toto is integrated into several other ecosystems and complementary software supply chain security efforts. An inexhaustive list of integrations and adoptions is maintained in the in-toto/friends repository.
The project maintains several integrations and resources pertaining to in-toto such as:
Contributions are welcome to these projects and any other repository in the in-toto GitHub organization.