in-toto is a project for protecting supply chain integrity. The project is a sister project of the TUF project and both are there for tightening the release process and making releases more secure. Therefore it’s not surprisingly, that in-toto has frameworks in various languages like golang. The golang in-toto framework is missing runlib functionality. The runlib library implements functionality for capturing evidence of a running process. For this project it’s possible to have a look on the python implementation for reimplementing the same functionality in golang. In the end it should be possible to call a function or a group of functions within golang for generating and signing in-toto link metadata.


Christian Rebischke


  • Santiago Torres-Arias
  • Justin Cappos
  • Lukas Pühringer