GitHub (SLSA) attestation guide #26222
Conversation
noahtalerman
commented
Feb 10, 2025
noahtalerman
commented
- Add instructions for verifying Fleet, fleetd, and fleetctl
- Add instructions for verifying Fleet, fleetd, and fleetctl
noahtalerman
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
| Here's how to verify the Fleet server: | ||
|
|
||
| ``` | ||
| gh attestation verify --owner fleetdm TODO | ||
| ``` | ||
|
|
||
| Verify Fleet's agent (fleetd): | ||
|
|
||
| ``` | ||
| gh attestation verify --owner fleetdm TODO | ||
| ``` | ||
|
|
||
| Verify the fleetctl command-line tool (CLI): | ||
|
|
||
| ``` | ||
| gh attestation verify --owner fleetdm TODO | ||
| ``` | ||
|
|
There was a problem hiding this comment.
@sgress454 can you please help me fill in the TODOs here?
I'm looking at the Attestations page in GitHub and I can't find a good example. When I click on one of the attestations I see this (not that helpful):
There was a problem hiding this comment.
Sure! For binaries, you're verifying a file on your own computer, so it's
gh attestation verify --owner fleetdm /path/to/downloaded/fleet
or downloaded fleetctl, or any of the other artifacts listed in a release. Both the archive (zip) files and the binaries enclosed in them have attestations added, so that if someone unzips the archive and sends the binary elsewhere it can still have its build verified.
For docker images, it's
gh attestation verify --owner fleetdm oci://docker.io/fleetdm/fleetctl[:tag]
or
gh attestation verify --owner fleetdm oci://docker.io/fleetdm/fleet:[tag]
(the tags are optional; without them you'll verify the latest image)
There was a problem hiding this comment.
@sgress454 can one verify the fleetd (Orbit) source code .zip like the one here? https://github.com/fleetdm/fleet/archive/refs/tags/orbit-v1.39.0.zip
I ran this command and got an error:
gh attestation verify --owner fleetdm Downloads/fleet-orbit-v1.39.0.zip
Loaded digest sha256:d2fccfaad04bbf05157c3d6f6d3a19fea81b6d183e23057fd3f4ed4a5d4de322 for file://Downloads/fleet-orbit-v1.39.0.zip
✗ Loading attestations from GitHub API failed
Error: failed to fetch attestations from fleetdm: HTTP 404: Not Found (https://api.github.com/orgs/fleetdm/attestations/sha256:d2fccfaad04bbf05157c3d6f6d3a19fea81b6d183e23057fd3f4ed4a5d4de322?per_page=30)
There was a problem hiding this comment.
We're not adding provenance to source file zips; it's mainly for code you run (like binaries and images, and archives containing those) so that you can see how it was built. It looks like we don't add binaries to the Orbit Github releases right now, but you can see the release artifacts on the Orbit release workflow, and any of those can be verified. On a host (at least a MacOS host) you can do:
gh attestation verify /usr/local/bin/orbit --owner fleetdm
to verify the Orbit binary installed on that host.
There was a problem hiding this comment.
@sgress454 thanks! So currently we support attestation for the Orbit component of fleetd. Not osquery or Fleet Desktop yet (screenshot below from docs here). Is that right?
On a host (at least a MacOS host) you can do:
gh attestation verify /usr/local/bin/orbit --owner fleetdmto verify the Orbit binary installed on that host.
Also, what would the command be to verify Orbit on Linux and Windows?
There was a problem hiding this comment.
Hey @sgress454 just giving you another ping! When you get the chance, please check out my questions above.
noahtalerman
had a problem deploying
to
Docker Hub
GitHub Actions
Failure
noahtalerman
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
