in-toto intrinsically doesn't have access to any private keys that are used to sign link metadata for steps. The people (or machines) authorized to perform a step must also have access to the corresponding key, and use it while generating in-toto links. in-toto layouts contain public keys that are used to verify the signatures of metadata files generated using private keys.
In your scenario, as an attacker who has gained access to the source code for example, you'd (hopefully!) not have access to the authorized keys that the actual developers have. However, managing private keys is not within the scope of in-toto, and appropriate best practices must be followed. I must note that in-toto minimizes the danger of an attacker gaining access to any one private key by supporting a "threshold" of keys, i.e., a step in the supply chain can be configured to require signatures from more than one key.
I hope this clears it up!
You received this message because you are subscribed to the Google Groups "in-toto-public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to in-toto-publi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/in-toto-public/24112fb4-ccd6-477b-8e2a-6525c22c2f68n%40googlegroups.com.