GitHub (SLSA) attestation guide (#26222)

- Add instructions for verifying Fleet, fleetd, and fleetctl
fleetdm · Feb 14, 2025 · f9dc049 · f9dc049
1 parent 5e48e3d
commit f9dc049
Showing 1 changed file with 23 additions and 3 deletions.
diff --git a/articles/fleet-software-attestation.md b/articles/fleet-software-attestation.md
@@ -1,14 +1,34 @@
 # Fleet software attestation
 
-As of version 4.63.0 Fleet added [SLSA attestations](https://slsa.dev/) to our released binaries and container images.  This includes the `fleet` and `fleetctl` server software, the fleetd (Orbit, osquery, and Fleet Desktop) agent for hosts.
+As of version 4.63.0 Fleet added [SLSA attestations](https://slsa.dev/) to our released binaries and container images.  This includes the Fleet server, [fleetctl](https://fleetdm.com/docs/get-started/anatomy#fleetctl) command-line tool (CLI), and Fleet's agent (specifically the [Orbit](https://fleetdm.com/docs/get-started/anatomy#fleetd) component).
 
 ## What is software attestation?
 
 A software attestation is a cryptographically-signed statement provided by a software creator that certifies the build process and provenance of one or more software _artifacts_ (which might be files, container images, or other outputs). In other words, it's a promise to our users that the software we're providing was built by us, using a process that they can trust and verify. We utilize the SLSA framework for attestations which you can read more about [here](https://slsa.dev/).  After each release, attestations are added to https://github.com/fleetdm/fleet/attestations.
 
-## Verifying our release artifacts
+## Verifying a release
 
-Any product of a Fleet release can be _verified_ to prove that it was indeed created by Fleet, using the `gh` command line tool from Github.  See the [`gh attestation verify`](https://cli.github.com/manual/gh_attestation_verify) docs for more info.
+Any Fleet release can be _verified_ to prove that it was indeed created by Fleet, using the `gh` command line tool from Github.  See the [`gh attestation verify`](https://cli.github.com/manual/gh_attestation_verify) docs for more info.
+
+After downloading the [Fleet binary](https://github.com/fleetdm/fleet/releases), here's how to verify:
+
+```
+gh attestation verify --owner fleetdm /path/to/fleet
+```
+
+Verify the [fleetctl binary](https://github.com/fleetdm/fleet/releases) (CLI):
+
+```
+gh attestation verify --owner fleetdm fleetdm /path/to/fleetctl
+```
+
+After, installing Fleet's agent (fleetd) on a macOS host, run this command on the host to verify:
+
+```
+gh attestation verify --owner fleetdm /usr/local/bin/orbit
+```
+
+TODO: Filepath for Windows and Linux
 
 <meta name="authorGitHubUsername" value="sgress454">
 <meta name="authorFullName" value="Scott Gress">