Hi Javi,
in-toto intrinsically doesn't have access to any private keys that
are used to sign link metadata for steps. The people (or machines)
authorized to perform a step must also have access to the
corresponding key, and use it while generating in-toto links.
in-toto layouts contain public keys that are used to verify the
signatures of metadata files generated using private keys.
In your scenario, as an attacker who has gained access to the
source code for example, you'd (hopefully!) not have access to the
authorized keys that the actual developers have. However, managing
private keys is not within the scope of in-toto, and appropriate
best practices must be followed. I must note that in-toto
minimizes the danger of an attacker gaining access to any one
private key by supporting a "threshold" of keys, i.e., a step in
the supply chain can be configured to require signatures
from more than one key.
I hope this clears it up!
- Aditya
--
You received this message because you are subscribed to the Google Groups "in-toto-public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to in-toto-publi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/in-toto-public/24112fb4-ccd6-477b-8e2a-6525c22c2f68n%40googlegroups.com.