Skip to main content

Download CI/lock

Static, single-file binaries — signed by the TestifySec platform Fulcio + TSA and uploaded only after the release pipeline verifies each one against the signed release policy. Served (and counted) from cilock.dev, never GitHub.

Quick install

Auto-detects your OS/arch, resolves the latest version from the manifest, and verifies the SHA-256 against the signed checksums before installing.

curl -fsSL https://cilock.dev/install.sh | bash

Prefer Homebrew, Docker, or a SHA-pinned GitHub Action? See all install methods →

Homebrew

On macOS (Intel + Apple Silicon) and Linux (x86_64 + arm64). The tap is public; Homebrew pins each download by SHA-256, and the formula is auto-bumped by the release pipeline.

brew install aflock-ai/tap/cilock

Or brew tap aflock-ai/tap then brew install cilock; upgrade with brew upgrade cilock.

Latest release

Loading the latest release…

Verify it's the real thing

Stable releases are signed by the TestifySec production platform (Fulcio + RFC 3161 TSA). This binary bakes in the matching trust, so cilock verify needs no --policy-* flags — it pulls the build's signed evidence from the platform and checks it against the release policy published with the binary:

tar xzf cilock-<version>-<os>-<arch>.tar.gz cilock
curl -fsSLO https://cilock.dev/dl/<version>/release-policy.json
cilock verify ./cilock --policy release-policy.json --platform-url https://platform.testifysec.com --enable-archivista

Release candidates are signed by the TestifySec staging platform; stable releases are signed by production keys. The --platform-url above is the production platform that signed this release.

What that proves
  • The binary was built by the official TestifySec release pipeline — the workflow's identity is bound into the signing certificate.
  • Signed by the TestifySec production Platform Fulcio, chained to its Platform Root CA.
  • Countersigned by an RFC 3161 TSA — the short-lived signing cert verifies as valid at signing time, long after it expires.
  • It's the exact artifact the publish gate verified — nothing unverified ever reaches cilock.dev.

No cilock yet, or want an independent check? SHA-256 + openssl verification →

In GitHub Actions

Don't download in CI — use the Action. It fetches its own full-attestor binary at runtime and wraps your commands.

- uses: aflock-ai/cilock-action@v1
  with:
    command: go build ./...

GitHub Actions pipeline tutorial →

License

CI/lock is free and open source under the Apache License 2.0. You can use, modify, and redistribute it — including building your own binary from rookery. The default release ships the file and fulcio signers; everything else is opt-in.