A framework to secure the integrity of software supply chains


10/14/19 Tobias Furuholm presented in-toto at the CASTOR Software Days and shared a video recording and his slides with us.
10/02/19 Adrian Colyer wrote an article about in-toto in "the morning paper".
07/09/19 in-toto was featured in the blog post "33(+) Kubernetes security tools."
06/08/19 We demonstrated how reproducible builds can be verified on "apt install" using in-toto at MiniDebConf Hamburg. You can watch it online.
06/03/19 Datadog has deployed TUF and in-toto into their pipeline! Read more here.
05/22/19 We hosted a TUF deep dive session featuring in-toto at KubeCon Europe. A recording is available on YouTube.
06/01/19 Our paper "in-toto: providing farm-to-table security properties for bits and bytes" was accepted into USENIX '19 More information about it here
02/13/19 We've worked alongside with Control Plane to make a test deployment of Kubesec using in-toto.
01/07/19 We released the first version of the official in-toto Jenkins plugin. This provenance Agent will help you track and sign link metadata for any step within your pipeline in a secure and distributed way.
10/19/18 Colin Domoney gave a talk on this year's DevSecCon London. He covered some of the fundamentals of in-toto to protect your cloud native deployment, as well as some other good supply-chain security practices.
05/29/18 Pacman 5.1 has been released!. This new version adds support for reproducible builds, and includes a security check for tampered git tag metadata.
05/17/18 A LWN article has been published, covering various supply chain security issues and their solutions, including grafeas, the update framework, and in-toto.
05/02/18 We presented in-toto along with Grafeas in Kubecon 2018.
04/12/18 Grafeas mentioned the in-toto integration plans on today's Google Cloud platform blog.
03/03/18 Our le-git-imate paper on improving the security of web-based Git repositories has been accepted at ASIACCS 2018!
02/20/18 We will present an integration of in-toto and Grafeas at KubeCon + CloudNativeCon Europe 2018 on May 2 in Copenhagen, Denmark.
10/17/17 A fix to our git tag metadata tampering attack paper [USENIX'16] has been included in the master branch of the pacman package manager and will be included in the next release.
08/10/17 Lukas presented in-toto at Debian's Debconf 2017. You can watch the video of the talk here.
02/06/17 We presented a demo of in-toto at Dockercon 2017. You can watch the video here.
01/17/17 A fix to our git tag metadata tampering vulnerability was merged into git's master branch and will be available starting from git v2.12. You can read more about it in our [USENIX'16] paper.
10/14/16 We presented a demo of in-toto in the Docker Distributed System Summit. You can watch the video here.
10/07/16 We are live! please check back soon for more updates.