Listen to this Post
Modern cybersecurity threats aren’t just in the codeβthey lurk in how software is developed, built, and deployed. Supply Chain Attacks have become one of the most complex challenges in cybersecurity. in-toto solves this by cryptographically verifying every step of the software supply chain, ensuring integrity from code commit to deployment.
π What is in-toto?
in-toto is a framework that records and verifies each step in the software supply chainβcoding, testing, building, signing, and deployment. It answers:
– Who performed an action?
– What was done?
– When did it happen?
– Was this step executed correctly?
π Key Features
β Full Traceability β Every step from code commit to deployment is signed and verifiable.
β Cryptographic Verification β Uses GPG, x509, and other signing methods to prevent tampering.
β Supply Chain Integrity β Ensures build tools, scripts, and users remain untampered.
β Integrates with Sigstore, TUF, SLSA β Works with modern software security standards.
β CI/CD Compatible β Supports GitHub Actions, Jenkins, GitLab CI, and more.
π οΈ You Should Know: How to Implement in-toto
1. Install in-toto
pip install in-toto
2. Generate Cryptographic Keys
in-toto-keygen --algorithm ed25519 alice
This creates `alice.pub` (public key) and `alice` (private key).
3. Define Supply Chain Layout
Create a `root.layout` file:
{
"expires": "2025-12-31T00:00:00Z",
"readme": "Example in-toto supply chain",
"keys": {
"alice": "pubkey_here"
},
"steps": [
{
"name": "clone",
"expected_command": ["git", "clone", "repo_url"],
"pubkeys": ["alice"],
"threshold": 1
},
{
"name": "build",
"expected_command": ["make"],
"pubkeys": ["alice"],
"threshold": 1
}
]
}
4. Sign and Verify Steps
Run a step and record metadata:
in-toto-run --step-name clone --key alice -- git clone https://github.com/example/repo
Verify the entire supply chain:
in-toto-verify --layout root.layout --layout-keys alice.pub
5. Detect Tampering
If a malicious script is inserted during build, in-toto will:
1. Identify which step was compromised.
2. Invalidate the build if signatures donβt match.
3. Log forensic evidence for compliance.
π‘οΈ Why Use in-toto?
β Prevents Supply Chain Attacks β Stops unauthorized changes.
β Auditable & Compliant β Provides legal-proof logs.
β Works with DevOps β Fits into CI/CD pipelines.
β Forensic Readiness β Quickly trace breaches.
π GitHub: https://github.com/in-toto/in-toto
What Undercode Say
in-toto is a must-have for secure DevOps. Beyond basic checks, use these Linux & Windows hardening commands:
Linux Security Checks
Check file integrity (compare hashes) sha256sum important_file Verify GPG signatures gpg --verify file.sig file Audit system calls auditctl -a always,exit -F arch=b64 -S execve Check for rootkits rkhunter --check
Windows Integrity Verification
Verify file signatures
Get-AuthenticodeSignature -FilePath C:\script.ps1
Check for unauthorized services
Get-Service | Where-Object { $_.Status -eq "Running" }
Monitor process creation
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.ID -eq 1 }
Bonus: Secure Your CI/CD
GitHub Actions Example - name: Verify with in-toto run: | in-toto-verify --layout root.layout --layout-keys alice.pub
Expected Output:
A cryptographically verified, tamper-proof software supply chain. π
π Final Tip: Combine in-toto with SBOM (Software Bill of Materials) for full transparency. Use:
syft scan dir:./ --output spdx-json > sbom.json
Expected Output: A secure, auditable, and compliant development pipeline. π‘οΈ
References:
Reported By: Nusretonen Intoto – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
