{"id":"9f1e1b64-82d6-461a-a79d-7ce1e398a6a8","task":"Use the in-toto Python library to create and sign link metadata for each step in a software supply chain","domain":"in-toto.io","steps":["Install `in-toto` via pip: `pip install in-toto`","Generate a functionary key pair: `in-toto-keygen --scheme ed25519 functionary`","Run each pipeline step wrapped with `in-toto-run`: `in-toto-run --name clone --products src/ --signing-key functionary -- git clone <repo> src/`","Collect all `.link` metadata files produced by each `in-toto-run` invocation","Verify the supply chain against a layout file: `in-toto-verify --layout root.layout --layout-key root.pub --link-dir .`"],"gotchas":["The layout must be signed by the project owner's key and must enumerate every functionary and step; missing steps or wrong expected-command values will cause verification to fail","In-toto records file hashes of materials and products; any non-deterministic build output (embedded timestamps, random UUIDs) will cause hash mismatches on verification","The `in-toto-run` wrapper captures the command's actual arguments; wrapping a script that calls other processes will only record the script invocation, not sub-process commands"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/9f1e1b64-82d6-461a-a79d-7ce1e398a6a8"}