in-toto-mock
in-toto-mock is a variant of ‘in-toto-run’ that can be used to create unsigned link metadata, using defaults for many of the ‘in-toto-run’ arguments. in-toto-mock verbosely executes the passed command, records all files in the current working directory as materials and products, and generates a link file under ‘<name>.link’.
This is useful for trying out how to generate a link without the need for a key, or knowledge about all ‘in-toto-run’ arguments. It can also be used to quickly generate link metadata, inspect it and sign it retroactively.
usage: in-toto-mock [-h] --name <name> -- <command> [args]
Required Named Arguments
- -n, --name
name for the resulting link metadata file, which is written to ‘<name>.link’. It is also used to associate the link with a step defined in an in-toto layout.
Positional Arguments
- <command>
command to be executed. It is separated from named and optional arguments by a double dash ‘–‘.
Options
- --use-dsse
generate metadata using dsse (experimental).
Default: False
- --version
show program’s version number and exit
Example Usage
Generate unsigned link metadata ‘foo.link’ for the activity of creating file ‘bar’, inspect it, and sign it with ‘mykey’
# Generate unsigned link
in-toto-mock --name foo -- touch bar
# Inspect and/or update unsigned link metadata
vi foo.link
# Sign the link, attesting to its validity, and write it to
# 'foo.<mykey keyid prefix>.link'.
in-toto-sign -k mykey -f foo.link