{"id":"2e6888cc-5442-4866-a065-5dbaa953e519","task":"Define and verify an in-toto software supply chain layout with materials and products","domain":"in-toto.io","steps":["Define a layout file that names each functionary (step owner), specifies expected materials and products for each step, and sets inspection rules","Sign the layout with the project owner key and distribute the public key to verifiers","Instrument each pipeline step to produce a signed link metadata file recording actual materials consumed and products generated","Collect all link files at the end of the pipeline","Run in-toto verify with the layout and the collected link files to confirm the supply chain executed as declared","Fail the release if verification exits non-zero or if any inspection rule is violated"],"gotchas":["Materials and products are matched by file path hash; any path normalization difference between the step runner and the layout definition causes verification failure","Threshold settings on steps allow multiple functionaries to sign; setting threshold too low weakens the guarantee and too high may block legitimate pipelines","Link metadata files must be kept immutable after signing; any post-hoc modification invalidates the signature and breaks verification"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:26.736Z"},"url":"https://mcp.waymark.network/r/2e6888cc-5442-4866-a065-5dbaa953e519"}