Question 1

How do I use in-toto-golang with Kubernetes admission controllers?

Accepted Answer

Leverage the core verification functions to cryptographically check supply chain steps within your controller logic; the implementation is optimized for this use case, with examples in the godoc documentation.

Question 2

Does in-toto-golang support GPG keys for signing metadata?

Accepted Answer

No, GPG key support is not implemented yet, as listed under 'Not (yet) supported' in the README. It primarily uses X.509 certificates through SPIFFE/SPIRE integration.

Question 3

What are the certificate constraints and how do they work?

Accepted Answer

Certificate constraints enforce attributes like common name, URIs, and organizations during verification. The README provides a JSON example showing how to specify constraints for SPIFFE IDs and other fields.

Question 4

How to set up SPIFFE/SPIRE integration for a demo?

Accepted Answer

Install Go and Docker, then run 'make test-spiffe-verify' from the source code. This generates SPIRE-compliant certificates and demonstrates the verification process, but it requires additional infrastructure setup.

Question 5

in-toto-golang vs the Python implementation: which is better for my project?

Accepted Answer

Choose in-toto-golang if you're working in Go, especially for Kubernetes environments with SPIFFE/SPIRE needs. The Python version might offer more features but less focus on production-ready core verification for admission controllers.

Question 6

How can I verify a software supply chain step by step with this library?

Accepted Answer

Define a layout with steps and inspections, sign it using supported keys (like X.509), and use the verification functions. Refer to the simple example in the README and the godoc for detailed API usage.

in-toto

What is in-toto?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions