Choose a signer
CI/lock supports nine signer providers. This guide is the decision tree, pick the path that matches your environment, then jump to the relevant config detail.
Store attestations in Archivista
Archivista is the searchable evidence store CI/lock integrates with by default. This guide covers how to configure CI/lock to push signed attestations to it, and how to retrieve them later.
Verify in a release gate
This guide is the operational counterpart to the release promotion gate tutorial. The tutorial shows you a worked example. This guide covers the design decisions you'll hit when wiring it into a real production environment.
Add a custom attestor
When the 30+ attestors in the default cilock binary don't capture what you need, write your own. This guide walks through the rookery attestation.Attestor interface, the lifecycle hooks, and how to ship a custom attestor as a Go module that downstream binaries can blank-import.
Build a custom CI/lock
The prebuilt cilock ships every attestor plus two signers (file, fulcio). If you need one of the seven opt-in signers (debug-signer, kms/aws, kms/gcp, kms/azure, spiffe, vault, vault-transit), or want a slimmer binary that only includes the plugins you actually use, or want to add a third-party plugin, use the rookery-builder.
Verify a specific file
You have a binary digest (or any single artifact hash) and you want to know: was this file produced by a build I trust? This guide walks the v0.3 verifier flow — what the user runs, what the verifier finds, what cross-checks it does, and what causes pass or fail.
Prove files in a build
cilock run emits a product attestation whose subject is a Merkle root over every file the step produced. By default that attestation also carries the per-file inline leaves, so a downstream consumer can verify one specific file against the signed root with nothing else — cilock verify -p policy just works. Most builds never need cilock prove.
High-assurance attestation
For release builds where "the attestation is complete or it doesn't ship,"