in-toto/in-toto-golang in-toto/in-toto-golang

Zero Trust Security
  • Stars
    star
    114
  • Rank 297,239 (Top 7 %)
  • Language
    Go
  • License
    Other
  • Created over 5 years ago
  • Updated about 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
in-toto/in-toto-golang
github

in-toto

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.

Go implementation of in-toto

build Coverage Status PkgGoDev Go Report Card OpenSSF Scorecard

Go implementation of the in-toto specification.

Docs

To read the documentation along with some examples, run:

godoc -http :8080

and navigate to localhost:8080/pkg/github.com/in-toto/in-toto-golang/

Alternatively, you can use pkg.go.dev.

Example

A very simple example, just to help you starting:

package main

import (
	"time"
	toto "github.com/in-toto/in-toto-golang/in_toto"
)

func main() {
	t := time.Now()
	t = t.Add(30 * 24 * time.Hour)

	var keys = make(map[string]toto.Key)

	var metablock = toto.Metablock{
		Signed: toto.Layout{
			Type: "layout",
			Expires:  t.Format("2006-01-02T15:04:05Z"),
			Steps: []toto.Step{},
			Inspect: []toto.Inspection{},
			Keys:  keys,
		},
	}

	var key toto.Key

	key.LoadKey("keys/alice", "rsassa-pss-sha256", []string{"sha256", "sha512"})

	metablock.Sign(key)

	metablock.Dump("root.layout")
}

Building

Download the source, run make build.

CLI

The CLI reference can be found in the autogenerated docs.

Integration with SPIFFE/SPIRE

This implementation of in-toto has been integrated with SPIFFE/SPIRE. The integration is made possible by ITE-7, an enhancement that adds support for X.509 signing to in-toto.

Running the Demo

To run the demo, pull down the source code, install Go, and run make test-verify. This will use openssl to generate a certificate chain.

To run the demo using SPIRE, pull down the source code, install Go and Docker, and run make test-spiffe-verify.

SPIFFE compliant Leaf certificates are generated with SVIDs corresponding to functionaries. These certificates are consumed by in-toto to sign link metadata and the layout policy.

During the in-toto verification process, certificate constraints are checked to ensure the build step link meta-data was signed with the correct SVID.

Layout Certificate Constraints

Currently the following constraints supported:

{
  "cert_constraints": [{
    "common_name": "write-code.example.com",
      "dns_names": [
        ""
      ],
      "emails": [
        ""
      ],
      "organizations": [
        "*"
      ],
      "roots": [
        "*"
      ],
      "uris": [
        "spiffe://example.com/write-code"
      ]
  }, {
    "uris": [],
    "common_names": ["Some User"]
  }]
}

Not (yet) supported

This golang implementation was focused on verification on admission controllers and kubectl plugins. As such, it focused on providing a strong, auditable set of core functions rather than a broad and (possibly) unstable feature set. In other words, we believe that the current feature set is stable enough for production use.

If any of these features are necessary for your use case please let us know and we will try to provide them as soon as possible. Alternatively we welcome pull requests with feature additions!

More Repositories

1

in-toto

in-toto is a framework to protect supply chain integrity.
Python
826
star
2

witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
Go
359
star
3

attestation

in-toto Attestation Framework
Go
182
star
4

demo

Securing Alice's, Bob's and Carl's software supply chain using in-toto
Python
79
star
5

archivista

Archivista is a graph and storage service for in-toto attestations. Archivista enables the discovery and retrieval of attestations for software artifacts.
Go
46
star
6

community

in-toto is a framework to secure the software supply chain.
37
star
7

docs

Specification and other related documents.
Python
31
star
8

in-toto-rs

A rust implementation of in-toto
Rust
31
star
9

supply-chain-compromises

22
star
10

ITE

in-toto Enhancements
17
star
11

scai-demos

Software Supply Chain Attribute Integrity (SCAI) Demos and CLI tools
Go
16
star
12

go-witness

Go implementation of witness
Go
13
star
13

attestation-verifier

Prototype in-toto attestation verifier based on ITE-10 and ITE-11 layouts
Go
11
star
14

in-toto-java

A Java implementation of in-toto runlib
Java
11
star
15

friends

Friends of in-toto! A place to record integrations and adoptions of the in-toto specification.
Python
9
star
16

kubectl-in-toto

Go
9
star
17

in-toto-webhook

Go
8
star
18

apt-transport-in-toto

in-toto transport for apt
Python
8
star
19

github-action

in-toto provenance github action
JavaScript
6
star
20

Dockerfiles

Dockerfile
5
star
21

totoify-grafeas

Python
4
star
22

in-toto-testing

Python
3
star
23

layout-web-tool

A flask app that helps to create, modify and visualize in-toto layouts.
Python
2
star
24

image-resources

This repo contains image-related resources for in-toto
1
star
25

in-toto.io

HTML
1
star
26

in-toto-inspections

A set of common in-toto inspections
Python
1
star
27

ite-4-demo

Python
1
star
28

demo-jekyll

Metadata and scripts to secure a basic jekyll supply chain with in-toto and grafeas
Shell
1
star