An example method of authenticating software executing in a computer system includes: receiving, from the computer system over a network at a server computer, a trusted platform module (TPM) quote, an event log, and a metadata database, the TPM quote provided by a TPM in the computer system, the event log including first checksums for the software executing in the computer system, and the metadata database including second checksums of binary files stored in packages from which the software is installed; establishing a root of trust in the computer system at the server computer based on the TPM quote and the event log; and determining, at the server computer in response to establishing the root of trust, integrity of the software executing in the computer system by comparing the first checksums with the second checksums.