in-toto-mock is a variant of ‘in-toto-run’ that can be used to create unsigned link metadata, using defaults for many of the ‘in-toto-run’ arguments. in-toto-mock verbosely executes the passed command, records all files in the current working directory as materials and products, and generates a link file under ‘<name>.link’.

This is useful for trying out how to generate a link without the need for a key, or knowledge about all ‘in-toto-run’ arguments. It can also be used to quickly generate link metadata, inspect it and sign it retroactively.

usage: in-toto-mock [-h] --name <name> -- <command> [args]

Required Named Arguments

-n, --name

name for the resulting link metadata file, which is written to ‘<name>.link’. It is also used to associate the link with a step defined in an in-toto layout.

Positional Arguments


command to be executed. It is separated from named and optional arguments by a double dash ‘–‘.



generate metadata using dsse (experimental).

Default: False


show program’s version number and exit

Example Usage

Generate unsigned link metadata ‘’ for the activity of creating file ‘bar’, inspect it, and sign it with ‘mykey’

# Generate unsigned link
in-toto-mock --name foo -- touch bar
# Inspect and/or update unsigned link metadata
# Sign the link, attesting to its validity, and write it to
# 'foo.<mykey keyid prefix>.link'.
in-toto-sign -k mykey -f