Attestations
An attestation is a signed statement about something that happened in your pipeline.
Attestors
An attestor is a plugin that asserts facts about a system and stores those facts in a versioned schema. Each attestor has a Name, Type (a versioned URL identifier like https://aflock.ai/attestations/git/v0.1), and a RunType that determines which lifecycle phase it runs in.
Signing & identity
A signer is the cryptographic identity used to sign an attestation. In policy, the signer is what gets evaluated against a functionary: the policy's declaration of who is allowed to sign for a given step.
Timestamping
A timestamp authority (TSA) adds trusted time information to a signature.
Evidence storage
A signed attestation is only useful if you can find it again. Cilock supports several places to put the evidence after signing.
Policy verification
A cilock policy is a signed document that encodes the requirements for an artifact to be validated. It includes trusted public keys (or X.509 roots), the steps that must appear in the supply chain, the functionaries trusted to sign each step, and embedded OPA Rego rules to evaluate against attestation contents.
DSSE & in-toto
DSSE (Dead Simple Signing Envelope) and in-toto are the standardized envelope and provenance formats that make cilock evidence interoperable with the wider supply-chain tooling ecosystem.
Trust model
This page is the deliberately honest version of "what does cilock actually protect against?" It's worth being precise here, because supply-chain tooling is easy to overpromise.