GitHub (SLSA) attestation guide #26222
Conversation
noahtalerman
commented
Feb 10, 2025
- Add instructions for verifying Fleet, fleetd, and fleetctl
- Add instructions for verifying Fleet, fleetd, and fleetctl
| Here's how to verify the Fleet server: | ||
|
|
||
| ``` | ||
| gh attestation verify --owner fleetdm TODO | ||
| ``` | ||
|
|
||
| Verify Fleet's agent (fleetd): | ||
|
|
||
| ``` | ||
| gh attestation verify --owner fleetdm TODO | ||
| ``` | ||
|
|
||
| Verify the fleetctl command-line tool (CLI): | ||
|
|
||
| ``` | ||
| gh attestation verify --owner fleetdm TODO | ||
| ``` | ||
|
|
There was a problem hiding this comment.
@sgress454 can you please help me fill in the TODOs here?
I'm looking at the Attestations page in GitHub and I can't find a good example. When I click on one of the attestations I see this (not that helpful):
There was a problem hiding this comment.
Sure! For binaries, you're verifying a file on your own computer, so it's
gh attestation verify --owner fleetdm /path/to/downloaded/fleet
or downloaded fleetctl, or any of the other artifacts listed in a release. Both the archive (zip) files and the binaries enclosed in them have attestations added, so that if someone unzips the archive and sends the binary elsewhere it can still have its build verified.
For docker images, it's
gh attestation verify --owner fleetdm oci://docker.io/fleetdm/fleetctl[:tag]
or
gh attestation verify --owner fleetdm oci://docker.io/fleetdm/fleet:[tag]
(the tags are optional; without them you'll verify the latest image)
There was a problem hiding this comment.
@sgress454 can one verify the fleetd (Orbit) source code .zip like the one here? https://github.com/fleetdm/fleet/archive/refs/tags/orbit-v1.39.0.zip
I ran this command and got an error:
gh attestation verify --owner fleetdm Downloads/fleet-orbit-v1.39.0.zip
Loaded digest sha256:d2fccfaad04bbf05157c3d6f6d3a19fea81b6d183e23057fd3f4ed4a5d4de322 for file://Downloads/fleet-orbit-v1.39.0.zip
✗ Loading attestations from GitHub API failed
Error: failed to fetch attestations from fleetdm: HTTP 404: Not Found (https://api.github.com/orgs/fleetdm/attestations/sha256:d2fccfaad04bbf05157c3d6f6d3a19fea81b6d183e23057fd3f4ed4a5d4de322?per_page=30)
There was a problem hiding this comment.
We're not adding provenance to source file zips; it's mainly for code you run (like binaries and images, and archives containing those) so that you can see how it was built. It looks like we don't add binaries to the Orbit Github releases right now, but you can see the release artifacts on the Orbit release workflow, and any of those can be verified. On a host (at least a MacOS host) you can do:
gh attestation verify /usr/local/bin/orbit --owner fleetdm
to verify the Orbit binary installed on that host.
There was a problem hiding this comment.
@sgress454 thanks! So currently we support attestation for the Orbit component of fleetd. Not osquery or Fleet Desktop yet (screenshot below from docs here). Is that right?
On a host (at least a MacOS host) you can do:
gh attestation verify /usr/local/bin/orbit --owner fleetdmto verify the Orbit binary installed on that host.
Also, what would the command be to verify Orbit on Linux and Windows?
There was a problem hiding this comment.
Hey @sgress454 just giving you another ping! When you get the chance, please check out my questions above.
There was a problem hiding this comment.
Hey @sgress454, can you please check out my questions above when you get the chance? Thanks!
Marking this PR as ready for review so we can get this merged in quickly. Plan is to open a separate PR once we get answers from Scott.
There was a problem hiding this comment.
Sorry for missing this!
So currently we support attestation for the Orbit component of fleetd. Not osquery or Fleet Desktop yet
That's correct. I'll check if there's a ticket to add attestation for these and add one if not.
Also, what would the command be to verify Orbit on Linux and Windows?
On Linux it should be the same. On Windows I think it would usually be:
gh attestation verify "C:\Program Files\Orbit\bin\orbit\orbit.exe --owner fleetdm"
If you have a Windows host handy you can verify that, or I can set one up.
There was a problem hiding this comment.
Update: there was a PR for attesting the desktop and osqueryd binaries and I already did it 🙃 . But I think it needs some work -- it appears we're only attesting the archives, but (except in the case of Linux) not the binaries inside. So the file that Orbit downloads is attested, but not the things inside it. I'll open a ticket to fix that up.
There was a problem hiding this comment.
there was a PR for attesting the desktop and osqueryd binaries and I already did it 🙃 . But I think it needs some work -- it appears we're only attesting the archives, but (except in the case of Linux) not the binaries inside.
Good call to open up an issue. Can you please file it as an engineering initiated user story? Here's how: https://fleetdm.com/handbook/engineering#create-an-engineering-initiated-story
That way, Luke (engineering output and architecture DRI) can triage the story and decide whether to prioritize wrapping it up.
@Drew-P-drawers this PR is ready for review/merge. |