Static, single-file binaries — signed by the TestifySec platform Fulcio + TSA and uploaded only after the release pipeline verifies each one against the signed release policy. Served (and counted) from cilock.dev, never GitHub.
Auto-detects your OS/arch, resolves the latest version from the manifest, and verifies the SHA-256 against the signed checksums before installing.
curl -fsSL https://cilock.dev/install.sh | bashPrefer Homebrew, Docker, or a SHA-pinned GitHub Action? See all install methods →
On macOS (Intel + Apple Silicon) and Linux (x86_64 + arm64). The tap is public; Homebrew pins each download by SHA-256, and the formula is auto-bumped by the release pipeline.
brew install aflock-ai/tap/cilockOr brew tap aflock-ai/tap then brew install cilock; upgrade with brew upgrade cilock.
Loading the latest release…
Stable releases are signed by the TestifySec production platform (Fulcio + RFC 3161 TSA). This binary bakes in the matching trust, so cilock verify needs no --policy-* flags — it pulls the build's signed evidence from the platform and checks it against the release policy published with the binary:
tar xzf cilock-<version>-<os>-<arch>.tar.gz cilock
curl -fsSLO https://cilock.dev/dl/<version>/release-policy.json
cilock verify ./cilock --policy release-policy.json --platform-url https://platform.testifysec.com --enable-archivistaRelease candidates are signed by the TestifySec staging platform; stable releases are signed by production keys. The --platform-url above is the production platform that signed this release.
No cilock yet, or want an independent check? SHA-256 + openssl verification →
Don't download in CI — use the Action. It fetches its own full-attestor binary at runtime and wraps your commands.
- uses: aflock-ai/cilock-action@v1
with:
command: go build ./...CI/lock is free and open source under the Apache License 2.0. You can use, modify, and redistribute it — including building your own binary from rookery. The default release ships the file and fulcio signers; everything else is opt-in.