• Stars
    star
    128
  • Rank 281,044 (Top 6 %)
  • Language
    Go
  • License
    Other
  • Created about 6 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.

Go implementation of in-toto

build Coverage Status PkgGoDev Go Report Card OpenSSF Scorecard

Go implementation of the in-toto specification.

Docs

To read the documentation along with some examples, run:

godoc -http :8080

and navigate to localhost:8080/pkg/github.com/in-toto/in-toto-golang/

Alternatively, you can use pkg.go.dev.

Example

A very simple example, just to help you starting:

package main

import (
	"time"
	toto "github.com/in-toto/in-toto-golang/in_toto"
)

func main() {
	t := time.Now()
	t = t.Add(30 * 24 * time.Hour)

	var keys = make(map[string]toto.Key)

	var metablock = toto.Metablock{
		Signed: toto.Layout{
			Type: "layout",
			Expires:  t.Format("2006-01-02T15:04:05Z"),
			Steps: []toto.Step{},
			Inspect: []toto.Inspection{},
			Keys:  keys,
		},
	}

	var key toto.Key

	key.LoadKey("keys/alice", "rsassa-pss-sha256", []string{"sha256", "sha512"})

	metablock.Sign(key)

	metablock.Dump("root.layout")
}

Building

Download the source, run make build.

CLI

The CLI reference can be found in the autogenerated docs.

Integration with SPIFFE/SPIRE

This implementation of in-toto has been integrated with SPIFFE/SPIRE. The integration is made possible by ITE-7, an enhancement that adds support for X.509 signing to in-toto.

Running the Demo

To run the demo, pull down the source code, install Go, and run make test-verify. This will use openssl to generate a certificate chain.

To run the demo using SPIRE, pull down the source code, install Go and Docker, and run make test-spiffe-verify.

SPIFFE compliant Leaf certificates are generated with SVIDs corresponding to functionaries. These certificates are consumed by in-toto to sign link metadata and the layout policy.

During the in-toto verification process, certificate constraints are checked to ensure the build step link meta-data was signed with the correct SVID.

Layout Certificate Constraints

Currently the following constraints supported:

{
  "cert_constraints": [{
    "common_name": "write-code.example.com",
      "dns_names": [
        ""
      ],
      "emails": [
        ""
      ],
      "organizations": [
        "*"
      ],
      "roots": [
        "*"
      ],
      "uris": [
        "spiffe://example.com/write-code"
      ]
  }, {
    "uris": [],
    "common_names": ["Some User"]
  }]
}

Not (yet) supported

This golang implementation was focused on verification on admission controllers and kubectl plugins. As such, it focused on providing a strong, auditable set of core functions rather than a broad and (possibly) unstable feature set. In other words, we believe that the current feature set is stable enough for production use.

If any of these features are necessary for your use case please let us know and we will try to provide them as soon as possible. Alternatively we welcome pull requests with feature additions!

More Repositories

1

in-toto

in-toto is a framework to protect supply chain integrity.
Python
868
star
2

witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
Go
409
star
3

attestation

in-toto Attestation Framework
Go
225
star
4

demo

Securing Alice's, Bob's and Carl's software supply chain using in-toto
Python
83
star
5

community

in-toto is a framework to secure the software supply chain.
62
star
6

archivista

Archivista is a graph and storage service for in-toto attestations. Archivista enables the discovery and retrieval of attestations for software artifacts.
Go
56
star
7

specification

Specification and other related documents.
Python
37
star
8

in-toto-rs

A rust implementation of in-toto
Rust
32
star
9

supply-chain-compromises

22
star
10

go-witness

Go implementation of witness
Go
21
star
11

ITE

in-toto Enhancements
19
star
12

scai-demos

Software Supply Chain Attribute Integrity (SCAI) Demos and CLI tools
Go
18
star
13

attestation-verifier

Prototype in-toto attestation verifier based on ITE-10 and ITE-11 layouts
Go
15
star
14

friends

Friends of in-toto! A place to record integrations and adoptions of the in-toto specification.
Python
12
star
15

in-toto-java

A Java implementation of in-toto runlib
Java
12
star
16

kubectl-in-toto

Go
11
star
17

github-action

in-toto provenance github action
JavaScript
8
star
18

in-toto-webhook

Go
8
star
19

apt-transport-in-toto

in-toto transport for apt
Python
8
star
20

Dockerfiles

Dockerfile
5
star
21

totoify-grafeas

Python
4
star
22

in-toto-testing

Python
3
star
23

in-toto.io

The in-toto website and documentation
HTML
2
star
24

layout-web-tool

A flask app that helps to create, modify and visualize in-toto layouts.
Python
2
star
25

image-resources

This repo contains image-related resources for in-toto
1
star
26

in-toto-inspections

A set of common in-toto inspections
Python
1
star
27

ite-4-demo

Python
1
star
28

demo-jekyll

Metadata and scripts to secure a basic jekyll supply chain with in-toto and grafeas
Shell
1
star