1## in-toto verify
2
3Verify that the software supply chain of the delivered product
4
5### Synopsis
6
7in-toto-verify is the main verification tool of the suite, and
8it is used to verify that the software supply chain of the delivered
9product was carried out as defined in the passed in-toto supply chain
10layout. Evidence for supply chain steps must be available in the form
11of link metadata files named ‘<step name>.<functionary keyid prefix>.link’.
12
13```
14in-toto verify [flags]
15```
16
17### Options
18
19```
20 -h, --help help for verify
21 -i, --intermediate-certs strings Path(s) to PEM formatted certificates, used as intermediaries to verify
22 the chain of trust to the layout's trusted root. These will be used in
23 addition to any intermediates in the layout.
24 -l, --layout string Path to root layout specifying the software supply chain to be verified
25 -k, --layout-keys strings Path(s) to PEM formatted public key(s), used to verify the passed
26 root layout's signature(s). Passing at least one key using
27 '--layout-keys' is required. For each passed key the layout
28 must carry a valid signature.
29 -d, --link-dir string Path to directory where link metadata files for steps defined in
30 the root layout should be loaded from. If not passed links are
31 loaded from the current working directory.
32 --normalize-line-endings Enable line normalization in order to support different
33 operating systems. It is done by replacing all line separators
34 with a new line character.
35```
36
37### SEE ALSO
38
39* [in-toto](in-toto.md) - Framework to secure integrity of software supply chains
40
View as plain text