Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/articles/fleet-software-attestation.md

35 lines
2 KiB
Markdown
Raw Blame History

# Fleet software attestation
As of version 4.63.0 Fleet added [SLSA attestations](https://slsa.dev/) to our released binaries and container images. This includes the Fleet server, [fleetctl](https://fleetdm.com/docs/get-started/anatomy#fleetctl) command-line tool (CLI), and Fleet's agent (specifically the [Orbit](https://fleetdm.com/docs/get-started/anatomy#fleetd) component).
## What is software attestation?
A software attestation is a cryptographically-signed statement provided by a software creator that certifies the build process and provenance of one or more software _artifacts_ (which might be files, container images, or other outputs). In other words, it's a promise to our users that the software we're providing was built by us, using a process that they can trust and verify. We use the [SLSA framework](https://slsa.dev/) for attestations. After each release, attestations are added to https://github.com/fleetdm/fleet/attestations.
## Verifying a release
Any Fleet release can be _verified_ to prove that it was indeed created by Fleet, using the `gh` command line tool from Github. See the [`gh attestation verify`](https://cli.github.com/manual/gh_attestation_verify) docs for more info.
After downloading the [Fleet server binary](https://github.com/fleetdm/fleet/releases), here's how to verify:
```
gh attestation verify --owner fleetdm /path/to/fleet
```
Verify the [fleetctl binary](https://github.com/fleetdm/fleet/releases) (CLI):
```
gh attestation verify --owner fleetdm fleetdm /path/to/fleetctl
```
Currently, you can verify Fleet's agent (fleetd) on macOS and Linux. To verify, after installing fleetd on a macOS or Linux host, run this command::
```
gh attestation verify --owner fleetdm /usr/local/bin/orbit
```
<meta name="authorGitHubUsername" value="sgress454">
<meta name="authorFullName" value="Scott Gress">
<meta name="publishedOn" value="2025-01-14">
<meta name="articleTitle" value="Fleet software attestation">
<meta name="category" value="guides">
Reference in a new issue View git blame Copy permalink