bb5ec47ec0
This PR adds an article about the software attestations Fleet now adds to release artifacts. --------- Co-authored-by: Drew Baker <89049099+Drew-P-drawers@users.noreply.github.com>
1.7 KiB
Fleet software attestation
At Fleet, we understand the importance of having a secure software supply chain. Our core value of 🟣 Openness extends to ensuring that our users can verify the provenance and authenticity of any Fleet software they install. With that in mind, as of version 4.63.0 Fleet we will be adding SLSA attestations to our released binaries and container images. This includes the Fleet and Fleetctl server software, the Orbit and Fleet Desktop software for hosts, and the osqueryd updates periodically downloaded by hosts.
What is software attestation?
A software attestation is a cryptographically-signed statement provided by a software creator that certifies the build process and provenance of one or more software artifacts (which might be files, container images, or other outputs). In other words, it's a promise to our users that the software we're providing was built by us, using a process that they can trust and verify. We utilize the SLSA framework for attestations which you can read more about here. After each release, attestations are added to https://github.com/fleetdm/fleet/attestations.
Verifying our release artifacts
Any product of a Fleet release can be verified to prove that it was indeed created by Fleet, using the gh command line tool from Github. See the gh attestation verify docs for more info.