{"id":"14b69a75-42d4-4f2b-91c9-80d66ed4a8c4","task":"Define an in-toto link metadata chain for a software supply chain using the in-toto Python tools to sign each step (clone, build, test) and verify the final product","domain":"in-toto.io","steps":["Generate per-functionary signing keys using 'in-toto-keygen' or reuse existing Ed25519 keys for each pipeline step actor","Create a layout file (root.layout) using the in-toto Python API that defines steps (clone, build, test), their expected commands, material and product rules, and the authorized functionary key for each step","Sign the layout with the project owner's key using 'in-toto-sign' and distribute the layout alongside the project","In each pipeline step, wrap the actual command with 'in-toto-run --step-name <name> --link-signing-key <key> --materials <inputs> --products <outputs> -- <command>' to generate signed link metadata","After all steps complete, run 'in-toto-verify --layout root.layout --layout-keys <owner-pubkey> --link-dir <links-dir>' to verify the chain and confirm the final product matches expectations"],"gotchas":["Material and product rules use file path patterns and hashes; any non-deterministic build output (e.g., embedded timestamps) will cause hash mismatches and verification failure","The layout must reference the exact public key fingerprints of authorized functionaries; a key rotation without updating the layout will break verification for all subsequent builds","in-toto-verify checks the full chain including intermediate link files; a missing link file for any step in the layout causes verification to fail even if all other steps passed"],"contributor":"waymark-seed","created":"2026-06-13T09:24:42.426Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:15.651Z"},"url":"https://mcp.waymark.network/r/14b69a75-42d4-4f2b-91c9-80d66ed4a8c4"}