Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-22 16:39:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 121
fleet/articles/fleet-software-attestation.md
Scott Gress fa65eb7b55
Update Software Attestation guide (#26000) 
For #25334 

Implementing changes suggested by @zayhanlon 

> @sharon-fdm or @sgress454 in the style of our current articles, i
think its okay to cut the fluff 'At Fleet, we understand the importance
of having a secure software supply chain. Our core value of 🟣
[Openness](https://fleetdm.com/handbook/company#openness) extends to
ensuring that our users can verify the provenance and authenticity of
any Fleet software they install. With that in mind,' and start with "As
of version 4.63.0 Fleet has added"

Done

> fleetctl we don't capitalize correct?

Updated references to `fleet`, `fleetctl` and `osqueryd` to be
lowercased and use code styling, to be consistent with usage in other
articles.

> I think orbit we also dont capitalize

It's pretty inconsistent but it looks like we mostly do capitalize it,
which makes sense to me as it's not a command you run (as opposed to
`fleet`, `fleetctl` or `osqueryd`). I left it for now but can change to
`orbit` if that's the official style guide policy.
2025-02-04 08:54:02 -06:00

1.4 KiB
Raw Blame History

Fleet software attestation

As of version 4.63.0 Fleet we will be adding SLSA attestations to our released binaries and container images. This includes the fleet and fleetctl server software, the Orbit and Fleet Desktop software for hosts, and the osqueryd updates periodically downloaded by hosts.

What is software attestation?

A software attestation is a cryptographically-signed statement provided by a software creator that certifies the build process and provenance of one or more software artifacts (which might be files, container images, or other outputs). In other words, it's a promise to our users that the software we're providing was built by us, using a process that they can trust and verify. We utilize the SLSA framework for attestations which you can read more about here. After each release, attestations are added to https://github.com/fleetdm/fleet/attestations.

Verifying our release artifacts

Any product of a Fleet release can be verified to prove that it was indeed created by Fleet, using the gh command line tool from Github. See the gh attestation verify docs for more info.