Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Solutions A small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.

Customers A small chevron
Stripe + Fleet

Stripe + Fleet

Stripe consolidates multiple tools with Fleet.

Foursquare + Fleet

Foursquare + Fleet

Foursquare quickly migrates to Fleet for device management.

What people are saying

What people are saying

Stories from the Fleet community.

Pricing
More A small chevron
Try it yourself Get a demo
{{thisPage.meta.articleTitle}}
search

Fleet software attestation

{{articleSubtitle}}

| The author's GitHub profile picture

Scott Gress

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Get a demoGet a demo

Fleet software attestation

{{articleSubtitle}}

| The author's GitHub profile picture

Scott Gress

Fleet software attestation

As of version 4.63.0 Fleet added SLSA attestations to our released binaries and container images. This includes the Fleet server, fleetctl command-line tool (CLI), and Fleet's agent (specifically the Orbit component).

What is software attestation?

A software attestation is a cryptographically-signed statement provided by a software creator that certifies the build process and provenance of one or more software artifacts (which might be files, container images, or other outputs). In other words, it's a promise to our users that the software we're providing was built by us, using a process that they can trust and verify. We use the SLSA framework for attestations. After each release, attestations are added to https://github.com/fleetdm/fleet/attestations.

Verifying a release

Any Fleet release can be verified to prove that it was indeed created by Fleet, using the gh command line tool from Github. See the gh attestation verify docs for more info.

After downloading the Fleet server binary, here's how to verify:

gh attestation verify --owner fleetdm /path/to/fleet

Verify the fleetctl binary (CLI):

gh attestation verify --owner fleetdm fleetdm /path/to/fleetctl

Currently, you can verify Fleet's agent (fleetd) on macOS and Linux. To verify, after installing fleetd on a macOS or Linux host, run this command::

gh attestation verify --owner fleetdm /usr/local/bin/orbit