cilock and rookery
Rookery is the modular attestation monorepo where cilock is built. It splits the attestation core, every individual attestor, every signer, and the binary builder into separate Go modules so each can be versioned and consumed independently.
Layout
| Directory | What's there |
|---|---|
attestation/ | Core attestation library (minimal deps), DSSE handling, in-toto statement assembly, the attestor/signer interfaces, factory registration, Archivista client, type-alias registry. |
plugins/attestors/ | Each attestor as its own Go module (40 attestors today). |
plugins/signers/ | Each signer as its own Go module (debug-signer, file, fulcio, kms with aws/azure/gcp subpackages, spiffe, vault, vault-transit). |
presets/ | Convenience modules that blank-import curated plugin sets, all, cicd, minimal. |
builder/ | Binary builder that generates custom binaries with selected plugins. |
cilock/ | The cilock CLI binary, cmd/cilock/main.go blank-imports the cilock-default attestor and signer set. |
lockctl/ | A separate CLI binary (own go.mod) for control-plane operations, lives alongside cilock in the monorepo. |
compat/ | Compatibility shims (notably compat/go-witness/) so go-witness consumers can pin to rookery without re-importing every plugin path. |
deploy/ | Packaging recipes (melange / apko / similar) for producing release-shape binaries. |
docs/ and docs-website/ | Markdown content and the Docusaurus-style site source for the cilock docs. |
The monorepo also hosts other CLIs that consume the same attestation core; this page focuses only on cilock.
Versioning
Rookery uses standard Go path-prefixed multi-module tags:
attestation/v0.1.0
plugins/attestors/git/v0.1.0
plugins/signers/file/v0.1.0
Each module can be released independently, so a fix to the git attestor doesn't force a release of the whole tree.
Why this matters for cilock
Because cilock is just main.go with a curated set of blank imports, you can build your own cilock-like binary with a different mix of attestors or signers, for example, dropping cloud signers entirely for an air-gapped build, or adding inspec, kube-bench, nessus, oscap, or prowler for compliance-heavy environments. The rookery builder handles this.
Presets
The presets/ modules are the easiest way to grab a curated set without writing imports yourself:
presets/all, every attestor and signer in rookerypresets/cicd, the CI/CD-relevant subset (21 attestors + thefilesigner)presets/minimal, the smallest useful set
The default cilock binary's attestor list is broadly aligned with presets/cicd plus a few additions.
Contributing
Both cilock and witness changes land here. See the rookery CONTRIBUTING guide for the workflow.