The in-toto Attestation Framework provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of software can then validate the origins of the software, and establish trust in its supply chain, using in-toto attestations.
Visit https://in-toto.io to learn about the larger in-toto project.
For a deeper dive, we recommend reading through our documentation to learn more about the goals of the in-toto Attestation Framework.
The core of the in-toto Attestation Framework is the specification that defines the format for in-toto attestations and the metadata they contain.
We also provide a set of attestation predicates, which are metadata formats vetted by our maintainers to cover a number of common use cases.
For tooling integration, we provide protobuf definitions of the spec. We currently only provide a pre-generated library for Go.
Take a look at the open issues or pull requests to see if your usage has already been reported. We can help with use cases, thinking through options, and questions about existing predicates. Feel free to comment on an existing issue or PR.
If you still can't find what you're looking for, open a new issue or pull request. Before opening a request for a new metadata format, please review our New Predicate Guidelines.
The in-toto Attestation Framework is part of the in-toto project under the CNCF.
Use @in-toto/attestation-maintainers to tag the maintainers on GitHub.
The in-toto Attestation Framework is still under development. We are in the process of developing tooling to enable better integration and adoption of the framework. In the meantime, please visit any of the language-specific in-toto implementations to become familiar with current tooling options.