News

in-toto’s specification reaches v1.0!

in-toto has moved from the Cloud Native Computing Foundation (CNCF) Sandbox to the Incubator! Read the full announcement here.

Our Google Summer of Code 2021 intern Qijia “Joy” Liu shares her story about the in-toto Rust implementation

The Google security team mentions in-toto in their blog article Verifiable Supply Chain Metadata for Tekton

Peter Elkind and Jack Gillum published an article SolarWinds about in-toto in ProPublica

Tech Xplore released an article warning about software supply chain attacks and describing in-toto.

The Linux Foundation received support to help advance several projects, including in-toto!

Our Google Summer of Code 2020 intern Christian Rebischke shares his story about the in-toto Go implementation

Tobias Furuholm presented in-toto at the CASTOR Software Days and shared a video recording and his slides with us.

Adrian Colyer wrote an article about in-toto in “the morning paper”.

in-toto was featured in the blog post “33(+) Kubernetes Security Tools”.

We demonstrated how reproducible builds can be verified on “apt install” using in-toto at MiniDebConf Hamburg. You can watch it online.

Datadog has deployed TUF and in-toto into their pipeline! Read more here.

Our paper “in-toto: providing farm-to-table security properties for bits and bytes” was accepted into USENIX ‘19. More information here.

We’ve worked alongside with Control Plane to make a test deployment of Kubesec using in-toto.

We released the first version of the official in-toto Jenkins plugin. This provenance Agent will help you track and sign link metadata for any step within your pipeline in a secure and distributed way.

Colin Domoney gave a talk on this year’s DevSecCon London. He covered some of the fundamentals of in-toto to protect your cloud native deployment, as well as some other good supply-chain security practices.

Pacman 5.1 has been released! This new version adds support for reproducible builds, and includes a security check for tampered git tag metadata.

A LWN article has been published, covering various supply chain security issues and their solutions, including grafeas, the update framework, and in-toto.

We presented in-toto along with Grafeas at Kubecon 2018.

Grafeas mentioned in-toto integration plans on the Google Cloud platform blog.

Our le-git-imate paper on improving the security of web-based Git repositories has been accepted at ASIACCS 2018!

We will present an integration of in-toto and Grafeas at KubeCon + CloudNativeCon Europe 2018 on May 2 in Copenhagen, Denmark.

A fix to our git tag metadata tampering attack paper (USENIX ‘16) has been included in the master branch of the pacman package manager and will be included in the next release.

Lukas presented in-toto at Debian’s Debconf 2017. You can watch the video of the talk here.

We presented a demo of in-toto at Dockercon 2017. You can watch the video here.

A fix to our git tag metadata tampering vulnerability was merged into git’s master branch and will be available starting from git v2.12. You can read more about it in our USENIX ‘16 paper.

We presented a demo of in-toto in the Docker Distributed System Summit. You can watch the video here.

We are live! please check back soon for more updates.