question about key access

Skip to first unread message

Javi D R

Feb 1, 2021, 11:55:50 AM2/1/21
to in-toto-public

Apologies if the question is dumb, i just discovered this tool and i am really interested on it.

How i understand it, is that intoto will cryptographically sign every step in a pipeline, correct?

The question i have is...imagine i am an attacker and i want to add malware to a software i am building in that pipeline. If intoto has access to the key to sign those steps as passed, then, i will also have access to the same key, isnt it? If i have access to that key, i can also sign the stepwhere i have built malicious artifact.

I am sure this is under control and i am wrong, but im struggling to understand how intoto can access to that key when it is a genuine step, and how an attacker who has access to the pipeline cant use that key


Aditya Sirish A Yelgundhalli

Feb 2, 2021, 10:45:10 AM2/2/21

Hi Javi,

in-toto intrinsically doesn't have access to any private keys that are used to sign link metadata for steps. The people (or machines) authorized to perform a step must also have access to the corresponding key, and use it while generating in-toto links. in-toto layouts contain public keys that are used to verify the signatures of metadata files generated using private keys.

In your scenario, as an attacker who has gained access to the source code for example, you'd (hopefully!) not have access to the authorized keys that the actual developers have. However, managing private keys is not within the scope of in-toto, and appropriate best practices must be followed. I must note that in-toto minimizes the danger of an attacker gaining access to any one private key by supporting a "threshold" of keys, i.e., a step in the supply chain can be configured to require signatures from more than one key.

I hope this clears it up!

- Aditya

You received this message because you are subscribed to the Google Groups "in-toto-public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
Reply all
Reply to author
0 new messages