Forrest logo
tool overview
On this page you find all important commands for the CLI tool in-toto-sign. If the command you are looking for is missing please ask our AI.

in-toto-sign

in-toto-sign is a command line tool that is part of the in-toto framework, a security and compliance framework for software supply chain operations. It is used to sign link metadata and artifact metadata in the supply chain process, providing a secure and verifiable way to track the integrity of software components.

The in-toto framework focuses on securing the software supply chain by establishing a chain of trust between the different entities involved in the process, such as developers, builders, and distributors.

By using in-toto-sign, developers and builders can sign the metadata associated with the different steps in the supply chain. This metadata includes information about the files being transferred, their hashes, as well as the commands used to build or process them.

When signing the metadata, in-toto-sign uses cryptographic keys to create signatures that can be later verified. These signatures provide assurance that the metadata was not tampered with during transit or by malicious actors.

The tool supports different signature schemes, including RSA and Ed25519, providing flexibility in the choice of cryptographic algorithms.

In addition to signing metadata, in-toto-sign also allows for verification of existing signatures, ensuring that the integrity of the supply chain process is maintained.

By using in-toto-sign in combination with other tools in the in-toto framework, organizations can improve the security and trustworthiness of their software supply chain, mitigating the risks of tampering, unauthorized modifications, and other supply chain attacks.

in-toto-sign is designed to be lightweight, easy to use, and can be seamlessly integrated into existing supply chain workflows, making it a valuable addition to security-conscious organizations.

List of commands for in-toto-sign:

  • in-toto-sign:tldr:03968 in-toto-sign: Sign 'unsigned.layout' with two keys and write it to 'root.layout'.
    $ in-toto-sign -f ${unsigned-layout} -k ${priv_key1} ${priv_key2} -o ${root-layout}
    try on your machine
    explain this command
  • in-toto-sign:tldr:4ecb0 in-toto-sign: Verify a layout signed with 3 keys.
    $ in-toto-sign -f ${root-layout} -k ${pub_key0} ${pub_key1} ${pub_key2} --verify
    try on your machine
    explain this command
  • in-toto-sign:tldr:e83f8 in-toto-sign: Verify a layout with a GPG key identified by keyid '...439F3C2'.
    $ in-toto-sign -f ${root-layout} --verify --gpg ${---439F3C2}
    try on your machine
    explain this command
  • in-toto-sign:tldr:ea483 in-toto-sign: Replace signature in link file and write to default filename.
    $ in-toto-sign -f ${package-2f89b927-link} -k ${priv_key}
    try on your machine
    explain this command
  • in-toto-sign:tldr:fdf32 in-toto-sign: Sign a layout with the default GPG key in default GPG keyring.
    $ in-toto-sign -f ${root-layout} --gpg
    try on your machine
    explain this command
tool overview