Download cilock

Static, single-file binaries — signed by the TestifySec platform Fulcio + TSA and uploaded only after the release pipeline verifies each one against the signed release policy. Served (and counted) from cilock.dev, never GitHub.

Quick install

Auto-detects your OS/arch, resolves the latest version from the manifest, and verifies the SHA-256 against the signed checksums before installing.

curl -fsSL https://cilock.dev/install.sh | bash

Prefer Homebrew, Docker, or a SHA-pinned GitHub Action? See all install methods →

Latest release

Loading the latest release…

Verify it's the real thing

Every binary carries the build's signed evidence. A released cilock bakes in the TestifySec platform trust, so verification is flagless and offline:

tar xzf cilock-<version>-<os>-<arch>.tar.gz cilock
cilock verify ./cilock -p release-v1.policy.json -a <os>-<arch>.attestation.json

What that proves

The binary was built by the official release workflow on aflock-ai/rookery (functionary identity bound into the signing cert).
Signed by the TestifySec Platform Fulcio, chained to the Platform Root CA.
Countersigned by an RFC 3161 TSA — the short-lived signing cert verifies as valid at signing time, long after it expires.
It's the exact artifact the publish gate verified — nothing unverified ever reaches cilock.dev.

No cilock yet, or want an independent check? SHA-256 + openssl verification →

In GitHub Actions

Don't download in CI — use the Action. It fetches its own full-attestor binary at runtime and wraps your commands.

- uses: aflock-ai/cilock-action@v1
  with:
    command: go build ./...

GitHub Actions pipeline tutorial →

License

cilock is free and open source under the Apache License 2.0. You can use, modify, and redistribute it — including building your own binary from rookery. The default release ships the file and fulcio signers; everything else is opt-in.