Installation
There are four supported ways to get cilock running.
1. Prebuilt binary
Each release of aflock-ai/rookery publishes static binaries for:
| OS | Architectures |
|---|---|
| Linux | amd64, arm64 |
| macOS (Darwin) | amd64, arm64 |
Windows is not currently shipped, the omnitrail attestor has linux/darwin-only build constraints.
Download from the rookery Releases page. Each archive is named cilock-<version>-<os>-<arch>.tar.gz and is accompanied by:
cilock-<version>-<os>-<arch>.tar.gz.sig, cosign signaturecilock-<version>-<os>-<arch>.tar.gz.pem, signing certificatechecksums-sha256.txt, checksums (also signed viachecksums-sha256.txt.sigandchecksums-sha256.txt.pem)cilock-<version>-sbom.spdx.json, SPDX SBOM (generated with syft)
Pick the matching OS and architecture for your machine, then download and run:
# Modify these values as necessary.
# OS: one of linux, darwin
# ARCH: one of amd64, arm64
VERSION=v1.0.1
OS=linux
ARCH=amd64
curl -fsL "https://github.com/aflock-ai/rookery/releases/download/${VERSION}/cilock-${VERSION#v}-${OS}-${ARCH}.tar.gz" \
| tar xzf - cilock
chmod +x cilock
./cilock version
Use OS=darwin and ARCH=arm64 on Apple Silicon (M1 and later), or ARCH=amd64 on Intel Macs. Running a Linux binary on macOS fails with zsh: exec format error.
Verify with cosign before using. Download the matching .sig and .pem into the current directory first:
VERSION=v1.0.1
OS=linux
ARCH=amd64
BASE="https://github.com/aflock-ai/rookery/releases/download/${VERSION}"
ARCHIVE="cilock-${VERSION#v}-${OS}-${ARCH}.tar.gz"
curl -fsLO "${BASE}/${ARCHIVE}"
curl -fsLO "${BASE}/${ARCHIVE}.sig"
curl -fsLO "${BASE}/${ARCHIVE}.pem"
cosign verify-blob \
--signature "${ARCHIVE}.sig" \
--certificate "${ARCHIVE}.pem" \
--certificate-identity-regexp 'https://github.com/aflock-ai/rookery/.+' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
"${ARCHIVE}"
2. GitHub Action
For GitHub Actions workflows, use the aflock-ai/cilock-action Action. It downloads its own variant binary at runtime and wraps your commands.
permissions:
id-token: write # required for keyless OIDC signing (Sigstore default)
contents: read
steps:
- uses: aflock-ai/cilock-action@v1.0.1 # pin to an exact tag or commit SHA
with:
step: build
command: "go build -o myapp ./cmd/myapp"
attestations: environment git github sbom
attestations defaults to environment git github when omitted. Pinning the action to an exact tag (or, better, a 40-character commit SHA) is consistent with the SHA-pinning advice in Layer 1 of the intro, the float-tag pattern is what the March 2026 Trivy attack exploited.
For a real five-step pipeline (lint, SAST, test, build+SBOM, docker build), see testifysec/dropbox-clone/.github/workflows/cilock-action-oidc.yaml. See the GitHub Action reference for the full input list.
3. GitLab CI template
For GitLab CI, include the reusable template:
include:
- remote: 'https://raw.githubusercontent.com/aflock-ai/cilock-action/v1/gitlab/cilock.gitlab-ci.yml'
build:
extends: .cilock
variables:
CILOCK_STEP: build
CILOCK_COMMAND: "go build -o myapp ./cmd/myapp"
See the GitLab component reference for the full variable list.
4. Build from source
The cilock binary lives in the rookery monorepo at cilock/cmd/cilock/main.go. You'll need Go 1.26+.
git clone https://github.com/aflock-ai/rookery
cd rookery/cilock
GOWORK=off CGO_ENABLED=0 go build -trimpath -o cilock ./cmd/cilock/
./cilock version
GOWORK=off is required because the default Go workspace is set up for monorepo development; CGO_ENABLED=0 produces a static binary matching the released artifacts.
Verifying your install
Whichever path you pick, sanity-check with:
cilock version
cilock attestors list
The attestors list output shows every attestor compiled into the binary, plus markers for which are always-run (material, product, command-run) and which are enabled by default. See Getting Started to actually run it.