Skip to main content

Frequently asked questions

Do I need to understand cryptography to use cilock well?โ€‹

No. You need to understand what evidence you care about and what release decisions should depend on that evidence. The cryptography exists to make the evidence trustworthy, cilock handles the signing primitives so you don't have to.

If you can describe your release rules in plain English ("must come from main, must include an SBOM, must be signed by our CI"), cilock's policy + embedded OPA Rego model can encode them.

Is this only for regulated or highly secure environments?โ€‹

No. Cilock is also useful for ordinary platform engineering, incident response, and release governance:

  • "What exactly produced this binary?" is a question every team has at some point.
  • Compliance just makes the value easier to justify on a budget line, but the operational benefits exist regardless.

Can cilock work with existing CI pipelines?โ€‹

Yes. The normal operating model is to wrap existing commands and actions, not to replace your CI platform. Cilock runs as a step inside GitHub Actions, GitLab CI, Jenkins, or any runner that can execute a binary.

You don't migrate to cilock, you add it alongside what you already run.

What is the practical payoff?โ€‹

  • Better release confidence: you know what shipped came from where, with what.
  • Better provenance: artifacts carry their own evidence instead of depending on log retention.
  • Less audit reconstruction: structured evidence beats screenshot collection.
  • A cleaner path to automated policy enforcement: rules become code instead of conventions.

How does cilock relate to Witness?โ€‹

Witness originated at TestifySec and was donated to the CNCF in-toto ecosystem. Cilock is described in its own source as "a witness-compatible CI attestation CLI with all attestors and signers." It registers legacy witness.dev type aliases on startup, so:

  • Cilock can verify attestations produced by witness.
  • Witness can verify attestations produced by cilock.

If you're coming from witness, the mental model, attestors, collections, functionaries, signed-DSSE policies, embedded Rego, carries over directly. See ecosystem โ†’ Witness for migration notes.

Where does the TestifySec platform fit?โ€‹

The TestifySec platform is a larger compliance and evidence product. Cilock is one of the evidence-producing clients that can feed it. You can use cilock without the platform, but if you need workflow, dashboards, and reporting on top of attestations, the platform is the path. See ecosystem โ†’ TestifySec Platform.

Can I use cilock without Archivista?โ€‹

Yes. The simplest setup writes attestations to a file and surfaces them as a CI workflow artifact. Archivista becomes valuable when you need cross-team search, long-term retention, or verifiers that fetch evidence without rerunning CI.

Self-hosted vs. hosted Fulcio/TSA: which should I pick?โ€‹

For most teams: start with the public Sigstore Fulcio + TSA. They're free and operationally simple. Move to self-hosted only if you need:

  • Air-gapped operation
  • Custom CA / identity provider
  • Stricter audit logging on the CA itself

See Choose a signer for the full decision tree.

Does cilock support FIPS-validated cryptography?โ€‹

Yes. The cilock binary is built with Go's fips140=on debug flag, so the FIPS 140 mode is on by default, no separate FIPS build required. See trust model.