in-toto -- Securing supply chains as a whole

In order to create their software packages, Debian maintainers perform a series of steps that include cloning of upstream sources, debianization of files, testing, linting, and packaging. Taken together, these steps make up the package’s software supply chain.

The security of this supply chain is crucial to the overall security of the software product. An attacker who is able to control a step in that chain, such as the version control system, the build process or the debianization steps, can alter the product for malicious intents. By introducing backdoors or including vulnerable libraries in any of these steps, or in between, attackers can target all of Debian’s users at once.

Although existing point solutions, like VCS signing or reproducible builds, provide integrity and authentication to individual steps in the software supply chain, they provide little security to an already compromised product. Hence, there is a need to verify the integrity and authenticity of a project from inception to the installation on an end user’s device.

In this talk we present in-toto, a set of tools to define, carry out, and verify the integrity and authenticity of any software supply chain as a whole. The presentation will include a live demo.

• Video
• Slides