Installation
There are five supported ways to get CI/lock running.
Verify the `cilock` binary
How CI/lock dogfoods its own release pipeline — every `cilock` binary you download from GitHub is signed via Sigstore Fulcio with the workflow's OIDC identity, comes with a Verification Summary Attestation (VSA) CI/lock produced by verifying itself against a 5-layer release policy, and ships a signed install.sh that scripts the cosign verification step before extraction.
Your first attestation
Intro
Connect to the platform
Your first attestation signed and verified evidence entirely on your laptop with a local key. That's the whole loop, offline. Connecting to the TestifySec platform adds three things a local key can't:
CI quickstart
The fastest path from a vanilla GitHub Actions workflow to signed evidence. This page shows one copy-pasteable workflow that produces a signed attestation around a single build step, then points to the dropbox-clone reference for the fuller multi-step pattern.
Verify SLSA provenance offline (air-gapped, no platform)
Verify a downloaded CI/lock binary FULLY OFFLINE — using only the DSSE attestation envelopes, Fulcio + Root CA, and RFC 3161 TSA chain published alongside the binary on cilock.dev. No TestifySec platform, tenant, or Archivista access required. For air-gapped and zero-trust verifiers.