in-toto attestations

Subject, predicate, and composing evidence.

Advanced35 min · lesson 5 of 15

in-toto is the open framework beneath modern supply-chain evidence — the standard way to make signed, machine-checkable claims about artifacts. SLSA provenance, SBOMs, and test results are all expressed as in-toto attestations, so understanding its shape lets you compose and verify any of them.

Subject and predicate

An in-toto attestation is a signed statement with two parts: a subject, which identifies the artifact by cryptographic digest, and a predicate, which is the actual claim about it. The predicate type says what kind of claim it is — SLSA provenance, a CycloneDX/SPDX SBOM, a test-result attestation, a VSA — and its body carries the details. Because the subject is a digest, the claim is welded to exactly those bytes; because the whole statement is signed, it is tamper-evident and attributable. This uniform shape is what lets one verifier reason about many kinds of evidence.

the in-toto statement shape
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{ "name": "api", "digest": { "sha256": "9f2c..." } } // WHICH artifact
],
"predicateType": "https://slsa.dev/provenance/v1", // WHAT kind of claim
"predicate": { /* builder, source, materials ... */ } // the claim itself
}
# Swap predicateType to https://cyclonedx.org/... for an SBOM attestation.
# The signed envelope (DSSE) around this makes it tamper-evident.

Composing evidence into policy

Because every claim shares the same structure, an artifact can carry several attestations — provenance, an SBOM, a scan result, a VSA — and a verifier can require a combination before trusting it: "built by our pipeline AND has an SBOM AND passed scanning". A Verification Summary Attestation lets one authority record that it checked an artifact against policy, so downstream consumers can trust that decision without re-running every check. This composability is what turns scattered evidence into an enforceable, layered trust decision at the gate.

in-toto: one shape, many claims
the statement
subject
artifact digest — WHICH bytes
predicate
the claim — WHAT about them
signed envelope (DSSE)
tamper-evident + attributable
predicate types
SLSA provenance
how it was built
SBOM (SPDX/CycloneDX)
what is inside
VSA
it was verified vs policy
Digest-bound, signed claims in one format. Compose them into policy: require provenance AND SBOM AND scan before trust.
A digest-bound claim cannot be transplanted — a name-bound one can
The security of an attestation rests on the subject being a cryptographic digest. Evidence keyed only to a tag or filename could be lifted onto a different, malicious artifact. Always verify that the attestation’s subject digest matches the exact artifact you are about to deploy.