You can install in-toto using either pip, or your favorite package manager.


We strongly suggest you use a virtual environment if you are installing in_toto with pip or from source.

On Debian

You can install in-toto on Debian using apt/apt-get:

apt install in-toto

This should provide all the dependencies you need to run in-toto.

On Arch Linux

On Arch Linux, you can install in-toto by using pacman:

pacman -S in-toto

Using PIP

To install using pip, simply run:

pip install in-toto

You may also need to install some system dependencies (depending on your host). These are:

  • OpenSSL used to generate and verify RSA signatures, and to export and verify signatures created with GPG.

  • GPG if you plan on generating PGP signatures (verification works without GPG).

Installing from Source

If your system doesn’t provide in-toto, you can install it from the source. To do so, you will need the following dependencies:

With these dependencies installed, fetch the latest tarball of in-toto here. Unpack it on a directory you trust and execute the following commands on a terminal:

pip install .

Installing for Development

To install in-toto in editable mode, together with development dependencies, clone the in-toto git repository, change into the project root directory, and install with pip:

pip install -r requirements-dev.txt