intoto start
Snapshot input files at the beginning of a pipeline step
Synopsis
Record the cryptographic hashes of all input files (materials) before a pipeline step runs.
Use this when your step is not a single command — for example, a multi-line build script. Call 'intoto start' before the step and 'intoto stop' after it. The pair together produce a signed in-toto link that proves which files went in and which came out.
If your entire step is a single command, use 'intoto run' instead.