Skip to content

Instantly share code, notes, and snippets.

@judavi

judavi/Readme.md

Last active January 13, 2020 11:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save judavi/d3c9084c8c742195b65b6d10faf38058 to your computer and use it in GitHub Desktop.
Save judavi/d3c9084c8c742195b65b6d10faf38058 to your computer and use it in GitHub Desktop.
Download ZIP
in-toto First Review
Raw
Readme.md

in-toto

Formal definition

This document describes in-toto, a system for securing the way in which software is developed, built, tested, and packaged (i.e., the software supply chain). in-toto attests to the integrity and verifiability of all the actions performed while writing code, compiling, testing, and deploying software. It does so by making it transparent to the user what steps were performed, by whom and in what order. As a result, given guidance by the group creating the software, in-toto allows the user to verify if a step in the supply chain was intended to be performed, if the step was performed by the right actor, and attests that materials (e.g., source code) were not tampered with between steps.

101 Version

In-toto defines a layout for the end to end process. This layout includes a series of steps and actors that will be performed during the process. Each step have some outputs that are signed with the public key of the actor performing the step. At the end of the process in-toto verify the final product based on the layout and the outputs of each step

Steps

The following are the high-level steps for using the framework, as seen from the viewpoint of an operating system’s package manager. This is an error-free case:

  • The project owner creates a (layout)[https://gist.github.com/judavi/d3c9084c8c742195b65b6d10faf38058#file-example-layout-json]. This describes the steps that every functionary must perform, as well as the specific inspection steps that must be performed on the client's machine.
  • Each functionary performs his or her usual tasks within the supply chain (e.g., the functionary in charge of compilation compiles the binary), and records link metadata about that action. After all steps are performed by functionaries, the metadata and target files are aggregated into a final product.
  • The client obtains the final product, and verifies that all steps were performed correctly. This is done by checking that all materials used were products of the intended steps, that each step was performed by the authorized functionary, and that the layout was created by the right project owner. If additional verification is required on the accompanying metadata (e.g., to verify VCS-specific metadata), the client will then perform additional inspection steps. If verification is successful, installation is carried out as usual.

Example of layout: https://github.com/in-toto/in-toto/blob/develop/layout-creation.md

Grafeas integration

In-toto relies

Notes

Notes are akin to step definitions in in-toto. We extended the grafeas api to hold a reference to the step definition for each note.

Occurrences

Occurrences are the closest type of metadata that could match a link

Operation

An Operation will be extended with an in-toto layout metadata as part of it's metadata field

Interesting links

Organizations that will worth to take a look

Raw
example-layout.json
{
"signatures": [
{
"keyid": "556caebdc0877eed53d419b60eddb1e57fa773e4e31d70698b588f3e9cc48b35",
"sig": "23a2984ed84eecf8fd4281e3754f709ea852c3f497261d481a86328e516465ad42a3c0db47183e447514a48d74ecd8696bc38900398e444bc56ef63c2050735d571638652a3594280595d61b037923e4a7c0e411792641e0f03766972b7552d58bc518c9de64f6fa9caf6b00f09454f7e420619fd9606aa3549ad8750b359cd0754575190b4ccd7419da394946cfd3dfefeac952078fa4411612f413d82d911c98c7803348864a0695179e650fa39867e6912dceb26ce9a43767f1a1d0fd3a8f93889adad2cb1f5bb8356931a8558b4871d44f15472b5014beffaa1af637cd1d27020958ddf9b12139eb2e8102c766c3558b9cae8be9fd5c252064f4f25fe7929f84e0051d0279dafbccdf093a7166659944998e2755ccdb7486da97ed4d53421e3fd75f939414d3a50d6a88e37dd8d3f5102fd3added205e7bb9a887028e972aae1498ceb79836bf5e3f6bbe3195dfae2731ef46e640b4862e2ec242fc5784629d111752a1f8a0c43b3153bbd92e11ee84d8c12cde0a4aad69d037793d59153"
}
],
"signed": {
"_type": "layout",
"expires": "2020-02-13T11:11:52Z",
"inspect": [
{
"_type": "inspection",
"expected_materials": [
[
"MATCH",
"demo-project.tar.gz",
"WITH",
"PRODUCTS",
"FROM",
"package"
],
[
"ALLOW",
".keep"
],
[
"ALLOW",
"alice.pub"
],
[
"ALLOW",
"root.layout"
],
[
"DISALLOW",
"*"
]
],
"expected_products": [
[
"MATCH",
"demo-project/foo.py",
"WITH",
"PRODUCTS",
"FROM",
"update-version"
],
[
"ALLOW",
"demo-project/.git/*"
],
[
"ALLOW",
"demo-project.tar.gz"
],
[
"ALLOW",
".keep"
],
[
"ALLOW",
"alice.pub"
],
[
"ALLOW",
"root.layout"
],
[
"DISALLOW",
"*"
]
],
"name": "untar",
"run": [
"tar",
"xzf",
"demo-project.tar.gz"
]
}
],
"keys": {
"2f89b9272acfc8f4a0a0f094d789fdb0ba798b0fe41f2f5f417c12f0085ff498": {
"keyid": "2f89b9272acfc8f4a0a0f094d789fdb0ba798b0fe41f2f5f417c12f0085ff498",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "rsa",
"keyval": {
"private": "",
"public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAzgLBsMFSgwBiWTBmVsyW\n5KbJwLFSodAzdUhU2Bq6SdRz/W6UOBGdojZXibxupjRtAaEQW/eXDe+1CbKg6ENZ\nGt2D9HGFCQZgQS8ONgNDQGiNxgApMA0T21AaUhru0vEofzdN1DfEF4CAGv5AkcgK\nsalhTyONervFIjFEdXGelFZ7dVMV3Pp5WkZPG0jFQWjnmDZhUrtSxEtqbVghc3kK\nAUj9Ll/3jyi2wS92Z1j5ueN8X62hWX2xBqQ6nViOMzdujkoiYCRSwuMLRqzW2CbT\nL8hF1+S5KWKFzxl5sCVfpPe7V5HkgEHjwCILXTbCn2fCMKlaSbJ/MG2lW7qSY2Ro\nwVXWkp1wDrsJ6Ii9f2dErv9vJeOVZeO9DsooQ5EuzLCfQLEU5mn7ul7bU7rFsb8J\nxYOeudkNBatnNCgVMAkmDPiNA7E33bmL5ARRwU0iZicsqLQR32pmwdap8PjofxqQ\nk7Gtvz/iYzaLrZv33cFWWTsEOqK1gKqigSqgW9T26wO9AgMBAAE=\n-----END PUBLIC KEY-----"
},
"scheme": "rsassa-pss-sha256"
},
"776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b08453f5": {
"keyid": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b08453f5",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "rsa",
"keyval": {
"private": "",
"public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0Zfzonp3/FScaIP+KKuz\nB+OZNFpjbVGWjm3leqnFqHYLqrLcCw5KhlXpycJqoSvZBpO+PFCksUx8U/ryklHG\nVoDiB84pRkvZtBoVaA4b4IHDIhz1K5NqkJgieya4fwReTxmCW0a9gH7AnDicHBCX\nlzMxqEdt6OKMV5g4yjKaxf8lW72O1gSI46GSIToo+Z7UUgs3ofaM5UFIcczgCpUa\n5kEKocB6cSZ9U8PKRLSs0xO0ROjrcOTsfxMs8eV4bsRCWY5mAq1WM9EHDSV9WO8g\nqrRmanC4enNqa8jU4O3zhgJVegP9A01r9AwNt6AqgPSikwhXN/P4v1FMYV+R6N3b\nS1lsVWRAnwBq5RFz5zVvcY88JEkHbrcBqP/A4909NXae1VMXmnoJb4EzGAkyUySB\na+fHXAVJgzwyv3I48d/OIjH8NWcVmM/DQL7FtcJk3tp0YUjY5wNpcbQTnLzURtlU\nsd+MtGuvdlDxUUvtUYCIVKRdS8UzYnTPjI2xzeoSHZ2ZAgMBAAE=\n-----END PUBLIC KEY-----"
},
"scheme": "rsassa-pss-sha256"
}
},
"readme": "",
"steps": [
{
"_type": "step",
"expected_command": [
"git",
"clone",
"https://github.com/in-toto/demo-project.git"
],
"expected_materials": [],
"expected_products": [
[
"CREATE",
"demo-project/foo.py"
],
[
"DISALLOW",
"*"
]
],
"name": "clone",
"pubkeys": [
"776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b08453f5"
],
"threshold": 1
},
{
"_type": "step",
"expected_command": [],
"expected_materials": [
[
"MATCH",
"demo-project/*",
"WITH",
"PRODUCTS",
"FROM",
"clone"
],
[
"DISALLOW",
"*"
]
],
"expected_products": [
[
"ALLOW",
"demo-project/foo.py"
],
[
"DISALLOW",
"*"
]
],
"name": "update-version",
"pubkeys": [
"776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b08453f5"
],
"threshold": 1
},
{
"_type": "step",
"expected_command": [
"tar",
"--exclude",
".git",
"-zcvf",
"demo-project.tar.gz",
"demo-project"
],
"expected_materials": [
[
"MATCH",
"demo-project/*",
"WITH",
"PRODUCTS",
"FROM",
"update-version"
],
[
"DISALLOW",
"*"
]
],
"expected_products": [
[
"CREATE",
"demo-project.tar.gz"
],
[
"DISALLOW",
"*"
]
],
"name": "package",
"pubkeys": [
"2f89b9272acfc8f4a0a0f094d789fdb0ba798b0fe41f2f5f417c12f0085ff498"
],
"threshold": 1
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment