diff --git a/autodocs/changelog.md b/autodocs/changelog.md index 640ecec68b..38d5314307 100755 --- a/autodocs/changelog.md +++ b/autodocs/changelog.md @@ -1,6 +1,377 @@ # 2023-11-08 +Updated Docs: + +- apko/provenance_info.md +- argo-cli/provenance_info.md +- argo-exec/provenance_info.md +- argo-workflowcontroller/provenance_info.md +- argocd/provenance_info.md +- argocd-repo-server/provenance_info.md +- argocd-repo-server/tags_history.md +- aspnet-runtime/provenance_info.md +- atlantis/provenance_info.md +- aws-cli/provenance_info.md +- aws-cli/tags_history.md +- aws-ebs-csi-driver/provenance_info.md +- aws-efs-csi-driver/provenance_info.md +- aws-efs-csi-driver/tags_history.md +- aws-for-fluent-bit/provenance_info.md +- aws-load-balancer-controller/provenance_info.md +- bank-vaults/provenance_info.md +- bash/provenance_info.md +- bazel/provenance_info.md +- boring-registry/provenance_info.md +- buck2/provenance_info.md +- busybox/provenance_info.md +- busybox/tags_history.md +- caddy/provenance_info.md +- cadvisor/provenance_info.md +- calico-cni/provenance_info.md +- calico-csi/provenance_info.md +- calico-kube-controllers/provenance_info.md +- calico-node/provenance_info.md +- calico-node-driver-registrar/provenance_info.md +- calico-pod2daemon-flexvol/provenance_info.md +- calico-typha/provenance_info.md +- calicoctl/provenance_info.md +- cassandra/provenance_info.md +- cc-dynamic/provenance_info.md +- cedar/provenance_info.md +- cert-manager-acmesolver/provenance_info.md +- cert-manager-cainjector/provenance_info.md +- cert-manager-controller/provenance_info.md +- cert-manager-webhook/provenance_info.md +- cfssl/provenance_info.md +- cilium-agent/provenance_info.md +- cilium-hubble-relay/provenance_info.md +- cilium-hubble-ui/provenance_info.md +- cilium-hubble-ui-backend/provenance_info.md +- cilium-operator-generic/provenance_info.md +- clang/provenance_info.md +- cluster-autoscaler/provenance_info.md +- cluster-proportional-autoscaler/provenance_info.md +- conda/provenance_info.md +- configmap-reload/provenance_info.md +- consul/provenance_info.md +- coredns/provenance_info.md +- cosign/provenance_info.md +- cosign/tags_history.md +- crane/provenance_info.md +- crossplane/provenance_info.md +- crossplane-aws/provenance_info.md +- crossplane-aws-cloudfront/provenance_info.md +- crossplane-aws-cloudwatchlogs/provenance_info.md +- crossplane-aws-dynamodb/provenance_info.md +- crossplane-aws-ec2/provenance_info.md +- crossplane-aws-eks/provenance_info.md +- crossplane-aws-firehose/provenance_info.md +- crossplane-aws-iam/provenance_info.md +- crossplane-aws-kms/provenance_info.md +- crossplane-aws-lambda/provenance_info.md +- crossplane-aws-rds/provenance_info.md +- crossplane-aws-s3/provenance_info.md +- crossplane-aws-sns/provenance_info.md +- crossplane-aws-sqs/provenance_info.md +- crossplane-azure/provenance_info.md +- crossplane-azure-authorization/provenance_info.md +- crossplane-azure-managedidentity/provenance_info.md +- crossplane-azure-sql/provenance_info.md +- crossplane-azure-storage/provenance_info.md +- crossplane-xfn/provenance_info.md +- crossplane-xfn/tags_history.md +- ctlog-trillian-ctserver/provenance_info.md +- curl/provenance_info.md +- dask-gateway/provenance_info.md +- dask-gateway-server/provenance_info.md +- deno/provenance_info.md +- dex/provenance_info.md +- dive/provenance_info.md +- dotnet-runtime/provenance_info.md +- dotnet-sdk/provenance_info.md +- dynamic-localpv-provisioner/provenance_info.md +- envoy/provenance_info.md +- envoy-ratelimit/provenance_info.md +- etcd/provenance_info.md +- external-dns/provenance_info.md +- external-secrets/provenance_info.md +- falcoctl/provenance_info.md +- ffmpeg/provenance_info.md +- fluent-bit/provenance_info.md +- fluentd/provenance_info.md +- fluentd/tags_history.md +- flux/provenance_info.md +- flux-helm-controller/provenance_info.md +- flux-image-automation-controller/provenance_info.md +- flux-image-reflector-controller/provenance_info.md +- flux-kustomize-controller/provenance_info.md +- flux-notification-controller/provenance_info.md +- flux-source-controller/provenance_info.md +- fulcio/provenance_info.md +- gatekeeper/provenance_info.md +- gcc-glibc/provenance_info.md +- git/provenance_info.md +- git/tags_history.md +- gitlab-exporter/provenance_info.md +- gitlab-kas/provenance_info.md +- gitlab-pages/provenance_info.md +- gitlab-shell/provenance_info.md +- gitness/provenance_info.md +- glibc-dynamic/provenance_info.md +- go/provenance_info.md +- go/tags_history.md +- google-cloud-sdk/provenance_info.md +- graalvm-native/provenance_info.md +- gradle/provenance_info.md +- grype/provenance_info.md +- guacamole-server/provenance_info.md +- haproxy/provenance_info.md +- haproxy-ingress/provenance_info.md +- helm/provenance_info.md +- helm/tags_history.md +- helm-chartmuseum/provenance_info.md +- http-echo/provenance_info.md +- hugo/provenance_info.md +- influxdb/provenance_info.md +- influxdb/tags_history.md +- ingress-nginx-controller/provenance_info.md +- ingress-nginx-controller/tags_history.md +- ip-masq-agent/provenance_info.md +- ip-masq-agent/tags_history.md +- istio-install-cni/provenance_info.md +- istio-operator/provenance_info.md +- istio-pilot/provenance_info.md +- istio-proxy/provenance_info.md +- jdk/provenance_info.md +- jdk-lts/provenance_info.md +- jenkins/provenance_info.md +- jenkins/tags_history.md +- jre/provenance_info.md +- jre-lts/provenance_info.md +- k3s/provenance_info.md +- k3s-allinone/provenance_info.md +- k8s-sidecar/provenance_info.md +- k8sgpt/provenance_info.md +- k8sgpt-operator/provenance_info.md +- kafka/provenance_info.md +- karpenter/provenance_info.md +- keda/provenance_info.md +- keda/tags_history.md +- keda-adapter/provenance_info.md +- keda-adapter/tags_history.md +- keda-admission-webhooks/provenance_info.md +- keda-admission-webhooks/tags_history.md +- keycloak/provenance_info.md +- ko/provenance_info.md +- ko/tags_history.md +- kube-bench/provenance_info.md +- kube-downscaler/provenance_info.md +- kube-fluentd-operator/provenance_info.md +- kube-logging-operator/provenance_info.md +- kube-logging-operator-fluentd/provenance_info.md +- kube-state-metrics/provenance_info.md +- kubectl/provenance_info.md +- kubeflow-jupyter-web-app/provenance_info.md +- kubeflow-jupyter-web-app/tags_history.md +- kubeflow-katib-controller/provenance_info.md +- kubeflow-katib-db-manager/provenance_info.md +- kubeflow-katib-earlystopping-medianstop/provenance_info.md +- kubeflow-katib-file-metrics-collector/provenance_info.md +- kubeflow-katib-suggestion-darts/provenance_info.md +- kubeflow-katib-suggestion-goptuna/provenance_info.md +- kubeflow-katib-suggestion-hyperband/provenance_info.md +- kubeflow-katib-suggestion-hyperopt/provenance_info.md +- kubeflow-katib-suggestion-optuna/provenance_info.md +- kubeflow-katib-suggestion-pbt/provenance_info.md +- kubeflow-katib-suggestion-skopt/provenance_info.md +- kubeflow-pipelines-api-server/image_specs.md +- kubeflow-pipelines-api-server/provenance_info.md +- kubeflow-pipelines-api-server/tags_history.md +- kubeflow-pipelines-cache-deployer/provenance_info.md +- kubeflow-pipelines-cache-deployer/tags_history.md +- kubeflow-pipelines-cache-server/provenance_info.md +- kubeflow-pipelines-cache-server/tags_history.md +- kubeflow-pipelines-metadata-writer/provenance_info.md +- kubeflow-pipelines-metadata-writer/tags_history.md +- kubeflow-pipelines-persistenceagent/provenance_info.md +- kubeflow-pipelines-persistenceagent/tags_history.md +- kubeflow-pipelines-scheduledworkflow/provenance_info.md +- kubeflow-pipelines-scheduledworkflow/tags_history.md +- kubeflow-pipelines-viewer-crd-controller/provenance_info.md +- kubeflow-pipelines-viewer-crd-controller/tags_history.md +- kubeflow-volumes-web-app/provenance_info.md +- kubeflow-volumes-web-app/tags_history.md +- kubernetes-csi-external-attacher/provenance_info.md +- kubernetes-csi-external-provisioner/provenance_info.md +- kubernetes-csi-external-resizer/provenance_info.md +- kubernetes-csi-external-snapshot-controller/provenance_info.md +- kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md +- kubernetes-csi-external-snapshotter/provenance_info.md +- kubernetes-csi-livenessprobe/provenance_info.md +- kubernetes-csi-node-driver-registrar/provenance_info.md +- kubernetes-dashboard/provenance_info.md +- kubernetes-dashboard-metrics-scraper/provenance_info.md +- kubernetes-dns-node-cache/provenance_info.md +- kubernetes-ingress-defaultbackend/provenance_info.md +- kubewatch/provenance_info.md +- kyverno/provenance_info.md +- kyverno-background-controller/provenance_info.md +- kyverno-cleanup-controller/provenance_info.md +- kyverno-cli/provenance_info.md +- kyverno-policy-reporter-plugin/provenance_info.md +- kyverno-policy-reporter-reporter/provenance_info.md +- kyverno-policy-reporter-ui/provenance_info.md +- kyverno-reports-controller/provenance_info.md +- kyvernopre/provenance_info.md +- loki/provenance_info.md +- mariadb/provenance_info.md +- maven/provenance_info.md +- mdbook/provenance_info.md +- meilisearch/provenance_info.md +- melange/provenance_info.md +- memcached/provenance_info.md +- memcached-exporter/provenance_info.md +- metacontroller/provenance_info.md +- metrics-server/provenance_info.md +- minio/provenance_info.md +- minio-client/provenance_info.md +- nats/provenance_info.md +- netcat/provenance_info.md +- newrelic-fluent-bit-output/provenance_info.md +- newrelic-infrastructure-bundle/provenance_info.md +- newrelic-k8s-events-forwarder/provenance_info.md +- newrelic-kube-events/provenance_info.md +- newrelic-kubernetes/provenance_info.md +- newrelic-prometheus/provenance_info.md +- newrelic-prometheus-configurator/provenance_info.md +- nfs-subdir-external-provisioner/provenance_info.md +- nginx/provenance_info.md +- node/provenance_info.md +- node-lts/provenance_info.md +- node-problem-detector/provenance_info.md +- nodetaint/provenance_info.md +- ntpd-rs/provenance_info.md +- nvidia-device-plugin/provenance_info.md +- oauth2-proxy/provenance_info.md +- oauth2-proxy/tags_history.md +- openai/provenance_info.md +- opensearch/provenance_info.md +- opentelemetry-collector-contrib/provenance_info.md +- opentofu/provenance_info.md +- paranoia/provenance_info.md +- pgbouncer/provenance_info.md +- php/provenance_info.md +- postgres/provenance_info.md +- powershell/provenance_info.md +- prometheus/provenance_info.md +- prometheus-adapter/provenance_info.md +- prometheus-alertmanager/provenance_info.md +- prometheus-cloudwatch-exporter/provenance_info.md +- prometheus-config-reloader/provenance_info.md +- prometheus-config-reloader/tags_history.md +- prometheus-elasticsearch-exporter/provenance_info.md +- prometheus-mongodb-exporter/provenance_info.md +- prometheus-mysqld-exporter/provenance_info.md +- prometheus-node-exporter/provenance_info.md +- prometheus-operator/provenance_info.md +- prometheus-operator/tags_history.md +- prometheus-postgres-exporter/provenance_info.md +- prometheus-pushgateway/provenance_info.md +- prometheus-pushgateway/tags_history.md +- prometheus-pushgateway-bitnami/provenance_info.md +- prometheus-redis-exporter/provenance_info.md +- prometheus-statsd-exporter/provenance_info.md +- promtail/provenance_info.md +- proxysql/provenance_info.md +- pulumi/provenance_info.md +- python/provenance_info.md +- r-base/provenance_info.md +- rabbitmq/provenance_info.md +- rabbitmq-cluster-operator/provenance_info.md +- rabbitmq-messaging-topology-operator/provenance_info.md +- redis/provenance_info.md +- redis-cluster-bitnami/provenance_info.md +- redis-sentinel/provenance_info.md +- redis-sentinel-bitnami/provenance_info.md +- redis-server-bitnami/provenance_info.md +- rekor-backfill-redis/provenance_info.md +- rekor-cli/provenance_info.md +- rekor-server/provenance_info.md +- rqlite/provenance_info.md +- ruby/provenance_info.md +- rust/provenance_info.md +- secrets-store-csi-driver/provenance_info.md +- secrets-store-csi-driver-provider-gcp/provenance_info.md +- semgrep/provenance_info.md +- semgrep/tags_history.md +- sigstore-scaffolding-cloudsqlproxy/provenance_info.md +- sigstore-scaffolding-ctlog-createctconfig/provenance_info.md +- sigstore-scaffolding-ctlog-managectroots/provenance_info.md +- sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md +- sigstore-scaffolding-fulcio-createcerts/provenance_info.md +- sigstore-scaffolding-getoidctoken/provenance_info.md +- sigstore-scaffolding-rekor-createsecret/provenance_info.md +- sigstore-scaffolding-trillian-createdb/provenance_info.md +- sigstore-scaffolding-trillian-createtree/provenance_info.md +- sigstore-scaffolding-trillian-updatetree/provenance_info.md +- sigstore-scaffolding-tsa-createcertchain/provenance_info.md +- sigstore-scaffolding-tuf-createsecret/provenance_info.md +- sigstore-scaffolding-tuf-server/provenance_info.md +- skaffold/provenance_info.md +- skaffold/tags_history.md +- slim-toolkit-debug/provenance_info.md +- smarter-device-manager/provenance_info.md +- spark-operator/provenance_info.md +- spire-agent/provenance_info.md +- spire-oidc-discovery-provider/provenance_info.md +- spire-server/provenance_info.md +- stakater-reloader/provenance_info.md +- static/provenance_info.md +- stunnel/provenance_info.md +- tekton-chains/provenance_info.md +- tekton-cli/provenance_info.md +- tekton-controller/provenance_info.md +- tekton-entrypoint/provenance_info.md +- tekton-events/provenance_info.md +- tekton-nop/provenance_info.md +- tekton-resolvers/provenance_info.md +- tekton-sidecarlogresults/provenance_info.md +- tekton-webhook/provenance_info.md +- tekton-workingdirinit/provenance_info.md +- telegraf/provenance_info.md +- terraform/provenance_info.md +- thanos/provenance_info.md +- thanos-operator/provenance_info.md +- tigera-operator/provenance_info.md +- timoni/provenance_info.md +- tomcat/provenance_info.md +- traefik/provenance_info.md +- trillian-logserver/provenance_info.md +- trillian-logsigner/provenance_info.md +- trino/provenance_info.md +- trust-manager/provenance_info.md +- vault/provenance_info.md +- vault-k8s/provenance_info.md +- vela-cli/provenance_info.md +- vertical-pod-autoscaler-admission-controller/provenance_info.md +- vertical-pod-autoscaler-recommender/provenance_info.md +- vertical-pod-autoscaler-updater/provenance_info.md +- vt/provenance_info.md +- wait-for-it/provenance_info.md +- wasmer/provenance_info.md +- wasmtime/provenance_info.md +- wavefront-proxy/provenance_info.md +- wazero/provenance_info.md +- weaviate/provenance_info.md +- wolfi-base/provenance_info.md +- zig/provenance_info.md +- zookeeper/provenance_info.md +- zot/provenance_info.md + +# 2023-11-08 + + Updated Docs: - argocd/tags_history.md diff --git a/content/chainguard/chainguard-images/reference/apko/provenance_info.md b/content/chainguard/chainguard-images/reference/apko/provenance_info.md index 581e899744..e5a38b4f1d 100644 --- a/content/chainguard/chainguard-images/reference/apko/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/apko/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying apko Image Signatures The **apko** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading apko Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the apko image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the apko image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/apko | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/apko | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying apko Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the apko image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/apko +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/apko ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/apko -- diff --git a/content/chainguard/chainguard-images/reference/argo-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/argo-cli/provenance_info.md index 8fc877b3da..6de064e2aa 100644 --- a/content/chainguard/chainguard-images/reference/argo-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argo-cli/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying argo-cli Image Signatures The **argo-cli** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading argo-cli Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the argo-cli image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argo-cli image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/argo-cli | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/argo-cli | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying argo-cli Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the argo-cli image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/argo-cli +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/argo-cli ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/argo-cli -- diff --git a/content/chainguard/chainguard-images/reference/argo-exec/provenance_info.md b/content/chainguard/chainguard-images/reference/argo-exec/provenance_info.md index fe8bfda082..b7e2f33fe5 100644 --- a/content/chainguard/chainguard-images/reference/argo-exec/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argo-exec/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying argo-exec Image Signatures The **argo-exec** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading argo-exec Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the argo-exec image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argo-exec image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/argo-exec | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/argo-exec | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying argo-exec Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the argo-exec image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/argo-exec +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/argo-exec ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/argo-exec -- diff --git a/content/chainguard/chainguard-images/reference/argo-workflowcontroller/provenance_info.md b/content/chainguard/chainguard-images/reference/argo-workflowcontroller/provenance_info.md index 5546bf23af..01c3eef021 100644 --- a/content/chainguard/chainguard-images/reference/argo-workflowcontroller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argo-workflowcontroller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying argo-workflowcontroller Image Signatures The **argo-workflowcontroller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading argo-workflowcontroller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the argo-workflowcontroller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argo-workflowcontroller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/argo-workflowcontroller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/argo-workflowcontroller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying argo-workflowcontroller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the argo-workflowcontroller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/argo-workflowcontroller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/argo-workflowcontroller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/argo-workflowcontroller -- diff --git a/content/chainguard/chainguard-images/reference/argocd-repo-server/provenance_info.md b/content/chainguard/chainguard-images/reference/argocd-repo-server/provenance_info.md index bd5ae6a7e6..8e736d9296 100644 --- a/content/chainguard/chainguard-images/reference/argocd-repo-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argocd-repo-server/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying argocd-repo-server Image Signatures The **argocd-repo-server** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading argocd-repo-server Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the argocd-repo-server image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argocd-repo-server image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/argocd-repo-server | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/argocd-repo-server | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying argocd-repo-server Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the argocd-repo-server image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/argocd-repo-server +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/argocd-repo-server ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/argocd-repo-server -- diff --git a/content/chainguard/chainguard-images/reference/argocd-repo-server/tags_history.md b/content/chainguard/chainguard-images/reference/argocd-repo-server/tags_history.md index bbcc4e75dd..a59f5a3b9d 100644 --- a/content/chainguard/chainguard-images/reference/argocd-repo-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/argocd-repo-server/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:84f6ef9ee847a2837cdb77e8091bcf8fd744312b03a5048204163b3ce1e59bad` | -| `latest` | November 7th | `sha256:1d3f7a0fd53a63f3852e10f15ac6977f2bca82c741440ee87a509fa0820bb71d` | +| `latest-dev` | November 8th | `sha256:4cdaf56c3f0cd61e3c4f82a9a9e1dc1cfd88069714bc46758198203af27527a7` | +| `latest` | November 8th | `sha256:c2540f71f2e5b680c3a9fdc1309087db0c19c23bdec31c83842e1c42bb4306f6` | diff --git a/content/chainguard/chainguard-images/reference/argocd/provenance_info.md b/content/chainguard/chainguard-images/reference/argocd/provenance_info.md index 84dec2f0e0..fc54756439 100644 --- a/content/chainguard/chainguard-images/reference/argocd/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argocd/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying argocd Image Signatures The **argocd** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading argocd Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the argocd image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argocd image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/argocd | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/argocd | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying argocd Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the argocd image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/argocd +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/argocd ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/argocd -- diff --git a/content/chainguard/chainguard-images/reference/aspnet-runtime/provenance_info.md b/content/chainguard/chainguard-images/reference/aspnet-runtime/provenance_info.md index ee5a320f0e..d4e60a72a1 100644 --- a/content/chainguard/chainguard-images/reference/aspnet-runtime/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aspnet-runtime/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying aspnet-runtime Image Signatures The **aspnet-runtime** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading aspnet-runtime Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the aspnet-runtime image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aspnet-runtime image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/aspnet-runtime | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/aspnet-runtime | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying aspnet-runtime Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the aspnet-runtime image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/aspnet-runtime +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/aspnet-runtime ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/aspnet-runtime -- diff --git a/content/chainguard/chainguard-images/reference/atlantis/provenance_info.md b/content/chainguard/chainguard-images/reference/atlantis/provenance_info.md index aa438d62c5..4b4e36a2c6 100644 --- a/content/chainguard/chainguard-images/reference/atlantis/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/atlantis/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying atlantis Image Signatures The **atlantis** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading atlantis Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the atlantis image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the atlantis image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/atlantis | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/atlantis | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying atlantis Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the atlantis image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/atlantis +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/atlantis ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/atlantis -- diff --git a/content/chainguard/chainguard-images/reference/aws-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-cli/provenance_info.md index 21995ade4d..8c6646dcff 100644 --- a/content/chainguard/chainguard-images/reference/aws-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-cli/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying aws-cli Image Signatures The **aws-cli** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading aws-cli Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the aws-cli image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-cli image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/aws-cli | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/aws-cli | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying aws-cli Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the aws-cli image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/aws-cli +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/aws-cli ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/aws-cli -- diff --git a/content/chainguard/chainguard-images/reference/aws-cli/tags_history.md b/content/chainguard/chainguard-images/reference/aws-cli/tags_history.md index b41abe2467..85346c4bd0 100644 --- a/content/chainguard/chainguard-images/reference/aws-cli/tags_history.md +++ b/content/chainguard/chainguard-images/reference/aws-cli/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:7199365e02048fcfcd6b9a4dec17fbae6950900a2afc8c8ecfb0832eaf7589f7` | -| `latest` | November 7th | `sha256:cd77c8efa8a5d5addc5ca1a41722d1f2af09efe0a89961e23240b234c076fb1d` | +| `latest` | November 8th | `sha256:0c9bbb116d87dd3042384d35216ed7f31b1ab916e0ea1463cdabb614893fab2e` | +| `latest-dev` | November 8th | `sha256:8978bde8b0d16c7166a2e5d3147a81ed70652f3589ccc651be6cddf51e9760f3` | diff --git a/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/provenance_info.md index 93b0a2aa46..ff9d6f4f55 100644 --- a/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying aws-ebs-csi-driver Image Signatures The **aws-ebs-csi-driver** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading aws-ebs-csi-driver Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the aws-ebs-csi-driver image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-ebs-csi-driver image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/aws-ebs-csi-driver | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/aws-ebs-csi-driver | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying aws-ebs-csi-driver Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the aws-ebs-csi-driver image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/aws-ebs-csi-driver +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/aws-ebs-csi-driver ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/aws-ebs-csi-driver -- diff --git a/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/provenance_info.md index 4e0318eab2..2993af7574 100644 --- a/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying aws-efs-csi-driver Image Signatures The **aws-efs-csi-driver** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading aws-efs-csi-driver Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the aws-efs-csi-driver image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-efs-csi-driver image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/aws-efs-csi-driver | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/aws-efs-csi-driver | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying aws-efs-csi-driver Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the aws-efs-csi-driver image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/aws-efs-csi-driver +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/aws-efs-csi-driver ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/aws-efs-csi-driver -- diff --git a/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/tags_history.md b/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/tags_history.md index e76180a287..418eb4ca38 100644 --- a/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/tags_history.md +++ b/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest` | November 7th | `sha256:5102e0506adca1d98eeb62bae4be0a896cd1c16818d00d52b370d6bb2aa637a4` | -| `latest-dev` | November 7th | `sha256:1a191f83641265e48033f51adc95d8092d5238a0b07feb37f164db581d09105a` | +| `latest-dev` | November 8th | `sha256:b357cdeedc00a96d9be837b1cc000ed1bf2c6cabc5858be485ae89a23807dd8f` | +| `latest` | November 8th | `sha256:895e4d05059704bfe85690d1f8ba23a22c8a3d5d1d4551fe21cc4319c0df1c61` | diff --git a/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/provenance_info.md index 8ac092cae0..b1fd0f8ec1 100644 --- a/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying aws-for-fluent-bit Image Signatures The **aws-for-fluent-bit** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading aws-for-fluent-bit Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the aws-for-fluent-bit image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-for-fluent-bit image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/aws-for-fluent-bit | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/aws-for-fluent-bit | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying aws-for-fluent-bit Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the aws-for-fluent-bit image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/aws-for-fluent-bit +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/aws-for-fluent-bit ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/aws-for-fluent-bit -- diff --git a/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/provenance_info.md index 6e70dd4319..8e40be39ad 100644 --- a/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying aws-load-balancer-controller Image Signatures The **aws-load-balancer-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading aws-load-balancer-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the aws-load-balancer-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-load-balancer-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/aws-load-balancer-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/aws-load-balancer-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying aws-load-balancer-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the aws-load-balancer-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/aws-load-balancer-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/aws-load-balancer-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/aws-load-balancer-controller -- diff --git a/content/chainguard/chainguard-images/reference/bank-vaults/provenance_info.md b/content/chainguard/chainguard-images/reference/bank-vaults/provenance_info.md index 7c76747b3a..2fd33613c9 100644 --- a/content/chainguard/chainguard-images/reference/bank-vaults/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/bank-vaults/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying bank-vaults Image Signatures The **bank-vaults** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading bank-vaults Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the bank-vaults image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the bank-vaults image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/bank-vaults | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/bank-vaults | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying bank-vaults Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the bank-vaults image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/bank-vaults +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/bank-vaults ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/bank-vaults -- diff --git a/content/chainguard/chainguard-images/reference/bash/provenance_info.md b/content/chainguard/chainguard-images/reference/bash/provenance_info.md index 1e110b699d..7483480123 100644 --- a/content/chainguard/chainguard-images/reference/bash/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/bash/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying bash Image Signatures The **bash** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading bash Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the bash image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the bash image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/bash | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/bash | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying bash Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the bash image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/bash +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/bash ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/bash -- diff --git a/content/chainguard/chainguard-images/reference/bazel/provenance_info.md b/content/chainguard/chainguard-images/reference/bazel/provenance_info.md index 740bca4713..9662da0361 100644 --- a/content/chainguard/chainguard-images/reference/bazel/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/bazel/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying bazel Image Signatures The **bazel** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading bazel Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the bazel image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the bazel image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/bazel | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/bazel | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying bazel Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the bazel image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/bazel +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/bazel ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/bazel -- diff --git a/content/chainguard/chainguard-images/reference/boring-registry/provenance_info.md b/content/chainguard/chainguard-images/reference/boring-registry/provenance_info.md index 207ad91a39..8a46b59c34 100644 --- a/content/chainguard/chainguard-images/reference/boring-registry/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/boring-registry/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying boring-registry Image Signatures The **boring-registry** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading boring-registry Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the boring-registry image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the boring-registry image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/boring-registry | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/boring-registry | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying boring-registry Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the boring-registry image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/boring-registry +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/boring-registry ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/boring-registry -- diff --git a/content/chainguard/chainguard-images/reference/buck2/provenance_info.md b/content/chainguard/chainguard-images/reference/buck2/provenance_info.md index 41590a81bc..d4610301ae 100644 --- a/content/chainguard/chainguard-images/reference/buck2/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/buck2/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying buck2 Image Signatures The **buck2** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading buck2 Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the buck2 image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the buck2 image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/buck2 | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/buck2 | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying buck2 Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the buck2 image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/buck2 +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/buck2 ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/buck2 -- diff --git a/content/chainguard/chainguard-images/reference/busybox/provenance_info.md b/content/chainguard/chainguard-images/reference/busybox/provenance_info.md index e1524f277f..dc7312ff7a 100644 --- a/content/chainguard/chainguard-images/reference/busybox/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/busybox/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying busybox Image Signatures The **busybox** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading busybox Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the busybox image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the busybox image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/busybox | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/busybox | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying busybox Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the busybox image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/busybox +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/busybox ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/busybox -- diff --git a/content/chainguard/chainguard-images/reference/busybox/tags_history.md b/content/chainguard/chainguard-images/reference/busybox/tags_history.md index 9f7c665b84..776ca70ce8 100644 --- a/content/chainguard/chainguard-images/reference/busybox/tags_history.md +++ b/content/chainguard/chainguard-images/reference/busybox/tags_history.md @@ -25,7 +25,7 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |-------------------------------------------------------|--------------|---------------------------------------------------------------------------| -| `latest` | November 7th | `sha256:bf9bb9e86c9e20771c712455c9ceb4a4a2ef5fac474b94c4a919b105007cda99` | +| `latest` | November 8th | `sha256:c8cfa476e08837f87fc53959debb6127878feebd4f6d5f93b70017520ad36954` | | `1.36` `1` `1.36.1` | November 3rd | `sha256:d6a7ed7843540fc638e70069e3b75f8422ac3d871162518abb5cbd0ee4bd1d38` | | `glibc-1` `latest-glibc` `glibc-1.36.1` `glibc-1.36` | October 30th | `sha256:8e3662a12cc913bc5d2aec46333589f4823910ef9560d8763f1fb04b2923aff1` | diff --git a/content/chainguard/chainguard-images/reference/caddy/provenance_info.md b/content/chainguard/chainguard-images/reference/caddy/provenance_info.md index 830f3f2a8a..5fb7f6f823 100644 --- a/content/chainguard/chainguard-images/reference/caddy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/caddy/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying caddy Image Signatures The **caddy** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading caddy Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the caddy image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the caddy image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/caddy | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/caddy | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying caddy Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the caddy image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/caddy +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/caddy ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/caddy -- diff --git a/content/chainguard/chainguard-images/reference/cadvisor/provenance_info.md b/content/chainguard/chainguard-images/reference/cadvisor/provenance_info.md index 8b0df5632c..7f2527668a 100644 --- a/content/chainguard/chainguard-images/reference/cadvisor/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cadvisor/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cadvisor Image Signatures The **cadvisor** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cadvisor Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cadvisor image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cadvisor image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cadvisor | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cadvisor | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cadvisor Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cadvisor image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cadvisor +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cadvisor ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cadvisor -- diff --git a/content/chainguard/chainguard-images/reference/calico-cni/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-cni/provenance_info.md index 28f2ccd893..167a8da4c7 100644 --- a/content/chainguard/chainguard-images/reference/calico-cni/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-cni/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying calico-cni Image Signatures The **calico-cni** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading calico-cni Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the calico-cni image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-cni image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/calico-cni | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/calico-cni | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying calico-cni Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the calico-cni image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/calico-cni +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/calico-cni ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/calico-cni -- diff --git a/content/chainguard/chainguard-images/reference/calico-csi/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-csi/provenance_info.md index e1cb20fde0..e5796bc363 100644 --- a/content/chainguard/chainguard-images/reference/calico-csi/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-csi/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying calico-csi Image Signatures The **calico-csi** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading calico-csi Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the calico-csi image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-csi image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/calico-csi | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/calico-csi | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying calico-csi Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the calico-csi image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/calico-csi +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/calico-csi ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/calico-csi -- diff --git a/content/chainguard/chainguard-images/reference/calico-kube-controllers/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-kube-controllers/provenance_info.md index 58c710a499..7295dd6fe5 100644 --- a/content/chainguard/chainguard-images/reference/calico-kube-controllers/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-kube-controllers/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying calico-kube-controllers Image Signatures The **calico-kube-controllers** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading calico-kube-controllers Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the calico-kube-controllers image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-kube-controllers image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/calico-kube-controllers | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/calico-kube-controllers | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying calico-kube-controllers Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the calico-kube-controllers image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/calico-kube-controllers +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/calico-kube-controllers ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/calico-kube-controllers -- diff --git a/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/provenance_info.md index 7c10b215ef..2b92db6f07 100644 --- a/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying calico-node-driver-registrar Image Signatures The **calico-node-driver-registrar** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading calico-node-driver-registrar Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the calico-node-driver-registrar image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-node-driver-registrar image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/calico-node-driver-registrar | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/calico-node-driver-registrar | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying calico-node-driver-registrar Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the calico-node-driver-registrar image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/calico-node-driver-registrar +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/calico-node-driver-registrar ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/calico-node-driver-registrar -- diff --git a/content/chainguard/chainguard-images/reference/calico-node/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-node/provenance_info.md index 8517bcf4a6..5787f5423f 100644 --- a/content/chainguard/chainguard-images/reference/calico-node/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-node/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying calico-node Image Signatures The **calico-node** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading calico-node Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the calico-node image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-node image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/calico-node | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/calico-node | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying calico-node Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the calico-node image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/calico-node +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/calico-node ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/calico-node -- diff --git a/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/provenance_info.md index 1a526bd811..ca069e55e8 100644 --- a/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying calico-pod2daemon-flexvol Image Signatures The **calico-pod2daemon-flexvol** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading calico-pod2daemon-flexvol Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the calico-pod2daemon-flexvol image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-pod2daemon-flexvol image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/calico-pod2daemon-flexvol | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/calico-pod2daemon-flexvol | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying calico-pod2daemon-flexvol Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the calico-pod2daemon-flexvol image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/calico-pod2daemon-flexvol +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/calico-pod2daemon-flexvol ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/calico-pod2daemon-flexvol -- diff --git a/content/chainguard/chainguard-images/reference/calico-typha/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-typha/provenance_info.md index 89e1599e96..3dc6216114 100644 --- a/content/chainguard/chainguard-images/reference/calico-typha/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-typha/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying calico-typha Image Signatures The **calico-typha** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading calico-typha Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the calico-typha image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-typha image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/calico-typha | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/calico-typha | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying calico-typha Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the calico-typha image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/calico-typha +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/calico-typha ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/calico-typha -- diff --git a/content/chainguard/chainguard-images/reference/calicoctl/provenance_info.md b/content/chainguard/chainguard-images/reference/calicoctl/provenance_info.md index 967e7e91e3..c6dfbf3a7a 100644 --- a/content/chainguard/chainguard-images/reference/calicoctl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calicoctl/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying calicoctl Image Signatures The **calicoctl** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading calicoctl Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the calicoctl image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calicoctl image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/calicoctl | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/calicoctl | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying calicoctl Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the calicoctl image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/calicoctl +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/calicoctl ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/calicoctl -- diff --git a/content/chainguard/chainguard-images/reference/cassandra/provenance_info.md b/content/chainguard/chainguard-images/reference/cassandra/provenance_info.md index 9a4f830b05..8047e1d871 100644 --- a/content/chainguard/chainguard-images/reference/cassandra/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cassandra/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cassandra Image Signatures The **cassandra** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cassandra Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cassandra image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cassandra image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cassandra | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cassandra | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cassandra Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cassandra image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cassandra +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cassandra ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cassandra -- diff --git a/content/chainguard/chainguard-images/reference/cc-dynamic/provenance_info.md b/content/chainguard/chainguard-images/reference/cc-dynamic/provenance_info.md index d1033ec6a1..104a2be2cb 100644 --- a/content/chainguard/chainguard-images/reference/cc-dynamic/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cc-dynamic/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cc-dynamic Image Signatures The **cc-dynamic** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cc-dynamic Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cc-dynamic image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cc-dynamic image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cc-dynamic | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cc-dynamic | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cc-dynamic Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cc-dynamic image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cc-dynamic +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cc-dynamic ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cc-dynamic -- diff --git a/content/chainguard/chainguard-images/reference/cedar/provenance_info.md b/content/chainguard/chainguard-images/reference/cedar/provenance_info.md index 774d28e3a3..8580b717c6 100644 --- a/content/chainguard/chainguard-images/reference/cedar/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cedar/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cedar Image Signatures The **cedar** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cedar Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cedar image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cedar image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cedar | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cedar | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cedar Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cedar image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cedar +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cedar ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cedar -- diff --git a/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/provenance_info.md b/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/provenance_info.md index d7a55a8952..80508b5abd 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cert-manager-acmesolver Image Signatures The **cert-manager-acmesolver** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cert-manager-acmesolver Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cert-manager-acmesolver image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-acmesolver image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cert-manager-acmesolver | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cert-manager-acmesolver | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cert-manager-acmesolver Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cert-manager-acmesolver image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cert-manager-acmesolver +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cert-manager-acmesolver ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cert-manager-acmesolver -- diff --git a/content/chainguard/chainguard-images/reference/cert-manager-cainjector/provenance_info.md b/content/chainguard/chainguard-images/reference/cert-manager-cainjector/provenance_info.md index 2b32d184f1..d68da793d5 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-cainjector/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-cainjector/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cert-manager-cainjector Image Signatures The **cert-manager-cainjector** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cert-manager-cainjector Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cert-manager-cainjector image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-cainjector image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cert-manager-cainjector | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cert-manager-cainjector | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cert-manager-cainjector Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cert-manager-cainjector image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cert-manager-cainjector +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cert-manager-cainjector ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cert-manager-cainjector -- diff --git a/content/chainguard/chainguard-images/reference/cert-manager-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/cert-manager-controller/provenance_info.md index ec228ffaed..5eb5bd49a1 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cert-manager-controller Image Signatures The **cert-manager-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cert-manager-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cert-manager-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cert-manager-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cert-manager-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cert-manager-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cert-manager-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cert-manager-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cert-manager-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cert-manager-controller -- diff --git a/content/chainguard/chainguard-images/reference/cert-manager-webhook/provenance_info.md b/content/chainguard/chainguard-images/reference/cert-manager-webhook/provenance_info.md index e3d771ab89..9b850c3093 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-webhook/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-webhook/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cert-manager-webhook Image Signatures The **cert-manager-webhook** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cert-manager-webhook Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cert-manager-webhook image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-webhook image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cert-manager-webhook | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cert-manager-webhook | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cert-manager-webhook Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cert-manager-webhook image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cert-manager-webhook +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cert-manager-webhook ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cert-manager-webhook -- diff --git a/content/chainguard/chainguard-images/reference/cfssl/provenance_info.md b/content/chainguard/chainguard-images/reference/cfssl/provenance_info.md index 0f5bfaa52b..171e32e9ad 100644 --- a/content/chainguard/chainguard-images/reference/cfssl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cfssl/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cfssl Image Signatures The **cfssl** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cfssl Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cfssl image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cfssl image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cfssl | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cfssl | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cfssl Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cfssl image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cfssl +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cfssl ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cfssl -- diff --git a/content/chainguard/chainguard-images/reference/cilium-agent/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-agent/provenance_info.md index a3f2cc10d3..c6a3f9c58f 100644 --- a/content/chainguard/chainguard-images/reference/cilium-agent/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-agent/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cilium-agent Image Signatures The **cilium-agent** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cilium-agent Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cilium-agent image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-agent image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cilium-agent | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cilium-agent | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cilium-agent Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cilium-agent image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cilium-agent +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cilium-agent ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cilium-agent -- diff --git a/content/chainguard/chainguard-images/reference/cilium-hubble-relay/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-hubble-relay/provenance_info.md index 72025f78b6..4c71dfbd42 100644 --- a/content/chainguard/chainguard-images/reference/cilium-hubble-relay/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-hubble-relay/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cilium-hubble-relay Image Signatures The **cilium-hubble-relay** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cilium-hubble-relay Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cilium-hubble-relay image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-hubble-relay image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cilium-hubble-relay | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cilium-hubble-relay | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cilium-hubble-relay Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cilium-hubble-relay image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cilium-hubble-relay +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cilium-hubble-relay ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cilium-hubble-relay -- diff --git a/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/provenance_info.md index 6bcbec6de2..f239e9cc1e 100644 --- a/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cilium-hubble-ui-backend Image Signatures The **cilium-hubble-ui-backend** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cilium-hubble-ui-backend Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cilium-hubble-ui-backend image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-hubble-ui-backend image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cilium-hubble-ui-backend | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cilium-hubble-ui-backend | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cilium-hubble-ui-backend Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cilium-hubble-ui-backend image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cilium-hubble-ui-backend +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cilium-hubble-ui-backend ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cilium-hubble-ui-backend -- diff --git a/content/chainguard/chainguard-images/reference/cilium-hubble-ui/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-hubble-ui/provenance_info.md index 7f8dd08ee9..b8e1aa2460 100644 --- a/content/chainguard/chainguard-images/reference/cilium-hubble-ui/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-hubble-ui/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cilium-hubble-ui Image Signatures The **cilium-hubble-ui** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cilium-hubble-ui Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cilium-hubble-ui image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-hubble-ui image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cilium-hubble-ui | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cilium-hubble-ui | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cilium-hubble-ui Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cilium-hubble-ui image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cilium-hubble-ui +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cilium-hubble-ui ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cilium-hubble-ui -- diff --git a/content/chainguard/chainguard-images/reference/cilium-operator-generic/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-operator-generic/provenance_info.md index 6c60d255f6..ce762af951 100644 --- a/content/chainguard/chainguard-images/reference/cilium-operator-generic/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-operator-generic/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cilium-operator-generic Image Signatures The **cilium-operator-generic** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cilium-operator-generic Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cilium-operator-generic image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-operator-generic image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cilium-operator-generic | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cilium-operator-generic | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cilium-operator-generic Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cilium-operator-generic image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cilium-operator-generic +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cilium-operator-generic ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cilium-operator-generic -- diff --git a/content/chainguard/chainguard-images/reference/clang/provenance_info.md b/content/chainguard/chainguard-images/reference/clang/provenance_info.md index 54727de436..3d398cdc7f 100644 --- a/content/chainguard/chainguard-images/reference/clang/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/clang/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying clang Image Signatures The **clang** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading clang Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the clang image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the clang image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/clang | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/clang | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying clang Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the clang image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/clang +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/clang ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/clang -- diff --git a/content/chainguard/chainguard-images/reference/cluster-autoscaler/provenance_info.md b/content/chainguard/chainguard-images/reference/cluster-autoscaler/provenance_info.md index 5fd7de816f..7a1f878a6e 100644 --- a/content/chainguard/chainguard-images/reference/cluster-autoscaler/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cluster-autoscaler/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cluster-autoscaler Image Signatures The **cluster-autoscaler** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cluster-autoscaler Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cluster-autoscaler image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cluster-autoscaler image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cluster-autoscaler | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cluster-autoscaler | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cluster-autoscaler Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cluster-autoscaler image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cluster-autoscaler +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cluster-autoscaler ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cluster-autoscaler -- diff --git a/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/provenance_info.md b/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/provenance_info.md index abf9d501b3..124edd262e 100644 --- a/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cluster-proportional-autoscaler Image Signatures The **cluster-proportional-autoscaler** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cluster-proportional-autoscaler Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cluster-proportional-autoscaler image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cluster-proportional-autoscaler image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cluster-proportional-autoscaler | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cluster-proportional-autoscaler | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cluster-proportional-autoscaler Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cluster-proportional-autoscaler image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cluster-proportional-autoscaler +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cluster-proportional-autoscaler ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cluster-proportional-autoscaler -- diff --git a/content/chainguard/chainguard-images/reference/conda/provenance_info.md b/content/chainguard/chainguard-images/reference/conda/provenance_info.md index a800b3dd7d..30c3a2fe0f 100644 --- a/content/chainguard/chainguard-images/reference/conda/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/conda/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying conda Image Signatures The **conda** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading conda Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the conda image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the conda image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/conda | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/conda | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying conda Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the conda image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/conda +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/conda ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/conda -- diff --git a/content/chainguard/chainguard-images/reference/configmap-reload/provenance_info.md b/content/chainguard/chainguard-images/reference/configmap-reload/provenance_info.md index 0a9f3a2006..17e51f5c10 100644 --- a/content/chainguard/chainguard-images/reference/configmap-reload/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/configmap-reload/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying configmap-reload Image Signatures The **configmap-reload** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading configmap-reload Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the configmap-reload image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the configmap-reload image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/configmap-reload | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/configmap-reload | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying configmap-reload Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the configmap-reload image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/configmap-reload +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/configmap-reload ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/configmap-reload -- diff --git a/content/chainguard/chainguard-images/reference/consul/provenance_info.md b/content/chainguard/chainguard-images/reference/consul/provenance_info.md index ac6c597fad..9446130df9 100644 --- a/content/chainguard/chainguard-images/reference/consul/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/consul/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying consul Image Signatures The **consul** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading consul Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the consul image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the consul image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/consul | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/consul | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying consul Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the consul image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/consul +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/consul ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/consul -- diff --git a/content/chainguard/chainguard-images/reference/coredns/provenance_info.md b/content/chainguard/chainguard-images/reference/coredns/provenance_info.md index 2deb100cb1..212d3ab179 100644 --- a/content/chainguard/chainguard-images/reference/coredns/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/coredns/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying coredns Image Signatures The **coredns** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading coredns Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the coredns image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the coredns image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/coredns | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/coredns | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying coredns Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the coredns image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/coredns +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/coredns ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/coredns -- diff --git a/content/chainguard/chainguard-images/reference/cosign/provenance_info.md b/content/chainguard/chainguard-images/reference/cosign/provenance_info.md index 23bcd1e487..6c937fe188 100644 --- a/content/chainguard/chainguard-images/reference/cosign/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cosign/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying cosign Image Signatures The **cosign** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading cosign Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the cosign image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cosign image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/cosign | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/cosign | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying cosign Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the cosign image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/cosign +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/cosign ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/cosign -- diff --git a/content/chainguard/chainguard-images/reference/cosign/tags_history.md b/content/chainguard/chainguard-images/reference/cosign/tags_history.md index 5959876279..1940da319b 100644 --- a/content/chainguard/chainguard-images/reference/cosign/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cosign/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:331f7005c2706a104d63b85a4a2eef64f20b60636971164e4d88291cc9bc95ab` | -| `latest` | November 3rd | `sha256:cf7c64f2458ebd047576916af28c9cd7bc0c50fd81ff3fc182f77bc0c0a40ec4` | +| `latest` | November 8th | `sha256:e0ee4f3dc3479cc100740a9dc10a76d11910a94b3d86efe2b5535c8262091025` | +| `latest-dev` | November 8th | `sha256:e732cdd013317336b9f27a71ac3f1e848793bbacb17f8e02b53a8afbc1e3593c` | diff --git a/content/chainguard/chainguard-images/reference/crane/provenance_info.md b/content/chainguard/chainguard-images/reference/crane/provenance_info.md index 3bb0b57d20..18af13a286 100644 --- a/content/chainguard/chainguard-images/reference/crane/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crane/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crane Image Signatures The **crane** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crane Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crane image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crane image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crane | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crane | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crane Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crane image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crane +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crane ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crane -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/provenance_info.md index 76d645351f..773bc91bd3 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-cloudfront Image Signatures The **crossplane-aws-cloudfront** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-cloudfront Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-cloudfront image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-cloudfront image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-cloudfront | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-cloudfront | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-cloudfront Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-cloudfront image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-cloudfront +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-cloudfront ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-cloudfront -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/provenance_info.md index b57d7fa22b..5849872d08 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-cloudwatchlogs Image Signatures The **crossplane-aws-cloudwatchlogs** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-cloudwatchlogs Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-cloudwatchlogs image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-cloudwatchlogs image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-cloudwatchlogs | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-cloudwatchlogs | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-cloudwatchlogs Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-cloudwatchlogs image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-cloudwatchlogs +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-cloudwatchlogs ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-cloudwatchlogs -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/provenance_info.md index 870c2e6628..61c6ddac2f 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-dynamodb Image Signatures The **crossplane-aws-dynamodb** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-dynamodb Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-dynamodb image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-dynamodb image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-dynamodb | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-dynamodb | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-dynamodb Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-dynamodb image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-dynamodb +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-dynamodb ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-dynamodb -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/provenance_info.md index 4e482d5cec..9096d7aa5b 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-ec2 Image Signatures The **crossplane-aws-ec2** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-ec2 Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-ec2 image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-ec2 image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-ec2 | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-ec2 | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-ec2 Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-ec2 image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-ec2 +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-ec2 ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-ec2 -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-eks/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-eks/provenance_info.md index 17fa68863b..0c56af36a6 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-eks/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-eks/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-eks Image Signatures The **crossplane-aws-eks** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-eks Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-eks image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-eks image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-eks | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-eks | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-eks Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-eks image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-eks +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-eks ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-eks -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/provenance_info.md index 0c4c2fbfa1..3e7cde58da 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-firehose Image Signatures The **crossplane-aws-firehose** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-firehose Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-firehose image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-firehose image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-firehose | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-firehose | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-firehose Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-firehose image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-firehose +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-firehose ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-firehose -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-iam/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-iam/provenance_info.md index 801ab25707..09b36cf8f7 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-iam/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-iam/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-iam Image Signatures The **crossplane-aws-iam** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-iam Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-iam image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-iam image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-iam | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-iam | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-iam Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-iam image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-iam +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-iam ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-iam -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-kms/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-kms/provenance_info.md index 71c8d4dbc1..3a689b7003 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-kms/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-kms/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-kms Image Signatures The **crossplane-aws-kms** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-kms Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-kms image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-kms image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-kms | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-kms | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-kms Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-kms image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-kms +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-kms ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-kms -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/provenance_info.md index bc9d39c091..62e54df9ef 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-lambda Image Signatures The **crossplane-aws-lambda** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-lambda Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-lambda image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-lambda image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-lambda | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-lambda | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-lambda Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-lambda image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-lambda +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-lambda ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-lambda -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-rds/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-rds/provenance_info.md index 05c4691b48..3fb6c26a43 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-rds/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-rds/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-rds Image Signatures The **crossplane-aws-rds** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-rds Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-rds image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-rds image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-rds | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-rds | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-rds Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-rds image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-rds +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-rds ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-rds -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-s3/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-s3/provenance_info.md index 83ecec5473..a3e59b6b43 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-s3/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-s3/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-s3 Image Signatures The **crossplane-aws-s3** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-s3 Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-s3 image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-s3 image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-s3 | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-s3 | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-s3 Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-s3 image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-s3 +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-s3 ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-s3 -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-sns/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-sns/provenance_info.md index d323af49cd..2e99da0521 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-sns/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-sns/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-sns Image Signatures The **crossplane-aws-sns** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-sns Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-sns image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-sns image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-sns | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-sns | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-sns Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-sns image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-sns +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-sns ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-sns -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/provenance_info.md index ff67d05f21..00b17e510c 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws-sqs Image Signatures The **crossplane-aws-sqs** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws-sqs Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws-sqs image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-sqs image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws-sqs | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws-sqs | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws-sqs Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws-sqs image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws-sqs +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws-sqs ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws-sqs -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws/provenance_info.md index 954d7348ae..f64869386c 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-aws Image Signatures The **crossplane-aws** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-aws Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-aws image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-aws | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-aws | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-aws Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-aws image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-aws +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-aws ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-aws -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/provenance_info.md index 6c5af49eed..d7b03be7a9 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-azure-authorization Image Signatures The **crossplane-azure-authorization** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-azure-authorization Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-azure-authorization image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-authorization image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-azure-authorization | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-azure-authorization | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-azure-authorization Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-azure-authorization image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-azure-authorization +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-azure-authorization ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-azure-authorization -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/provenance_info.md index d98fb5e4a2..2a3d058eb6 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-azure-managedidentity Image Signatures The **crossplane-azure-managedidentity** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-azure-managedidentity Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-azure-managedidentity image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-managedidentity image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-azure-managedidentity | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-azure-managedidentity | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-azure-managedidentity Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-azure-managedidentity image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-azure-managedidentity +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-azure-managedidentity ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-azure-managedidentity -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-sql/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure-sql/provenance_info.md index b1b61293ab..2696195d75 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-sql/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-sql/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-azure-sql Image Signatures The **crossplane-azure-sql** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-azure-sql Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-azure-sql image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-sql image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-azure-sql | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-azure-sql | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-azure-sql Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-azure-sql image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-azure-sql +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-azure-sql ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-azure-sql -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-storage/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure-storage/provenance_info.md index f887a8a7b3..7193d45db0 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-storage/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-storage/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-azure-storage Image Signatures The **crossplane-azure-storage** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-azure-storage Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-azure-storage image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-storage image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-azure-storage | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-azure-storage | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-azure-storage Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-azure-storage image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-azure-storage +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-azure-storage ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-azure-storage -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure/provenance_info.md index 127513b7ea..a46f289cbb 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-azure Image Signatures The **crossplane-azure** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-azure Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-azure image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-azure | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-azure | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-azure Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-azure image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-azure +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-azure ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-azure -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-xfn/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-xfn/provenance_info.md index 15fca0bae6..3ac31fded9 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-xfn/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-xfn/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane-xfn Image Signatures The **crossplane-xfn** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane-xfn Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane-xfn image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-xfn image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane-xfn | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane-xfn | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane-xfn Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane-xfn image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane-xfn +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane-xfn ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane-xfn -- diff --git a/content/chainguard/chainguard-images/reference/crossplane-xfn/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-xfn/tags_history.md index 5d9824a6d9..34d6b5b738 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-xfn/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-xfn/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:07957082d1ba09db89099a3854228b3d31438857ab3bcad731b7736d2433a319` | -| `latest` | November 1st | `sha256:685ef520217e92b67f3ec1c61311bae830be99dff7b6c245383321d7a22cd78b` | +| `latest-dev` | November 8th | `sha256:130e60027c70d5aaecfd0a1f7b74fa72e9db26854e7b597d969fbca76f07546c` | +| `latest` | November 8th | `sha256:12d67ff5b1ae93d716e47f0cf19f29aa13c62af4700c8243c4a4781de978de4e` | diff --git a/content/chainguard/chainguard-images/reference/crossplane/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane/provenance_info.md index 75ece743be..1b9699cb2b 100644 --- a/content/chainguard/chainguard-images/reference/crossplane/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying crossplane Image Signatures The **crossplane** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading crossplane Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the crossplane image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/crossplane | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/crossplane | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying crossplane Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the crossplane image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/crossplane +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/crossplane ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/crossplane -- diff --git a/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/provenance_info.md b/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/provenance_info.md index 72eb76a0e3..a5865c0023 100644 --- a/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying ctlog-trillian-ctserver Image Signatures The **ctlog-trillian-ctserver** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading ctlog-trillian-ctserver Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the ctlog-trillian-ctserver image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ctlog-trillian-ctserver image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/ctlog-trillian-ctserver | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/ctlog-trillian-ctserver | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying ctlog-trillian-ctserver Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the ctlog-trillian-ctserver image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/ctlog-trillian-ctserver +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/ctlog-trillian-ctserver ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/ctlog-trillian-ctserver -- diff --git a/content/chainguard/chainguard-images/reference/curl/provenance_info.md b/content/chainguard/chainguard-images/reference/curl/provenance_info.md index 8a04700e15..c5170cb4f2 100644 --- a/content/chainguard/chainguard-images/reference/curl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/curl/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying curl Image Signatures The **curl** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading curl Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the curl image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the curl image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/curl | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/curl | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying curl Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the curl image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/curl +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/curl ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/curl -- diff --git a/content/chainguard/chainguard-images/reference/dask-gateway-server/provenance_info.md b/content/chainguard/chainguard-images/reference/dask-gateway-server/provenance_info.md index cace4dd62d..4c7b27622d 100644 --- a/content/chainguard/chainguard-images/reference/dask-gateway-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dask-gateway-server/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying dask-gateway-server Image Signatures The **dask-gateway-server** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading dask-gateway-server Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the dask-gateway-server image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dask-gateway-server image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/dask-gateway-server | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/dask-gateway-server | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying dask-gateway-server Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the dask-gateway-server image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/dask-gateway-server +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/dask-gateway-server ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/dask-gateway-server -- diff --git a/content/chainguard/chainguard-images/reference/dask-gateway/provenance_info.md b/content/chainguard/chainguard-images/reference/dask-gateway/provenance_info.md index 5e34179f74..7c8bfaadf8 100644 --- a/content/chainguard/chainguard-images/reference/dask-gateway/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dask-gateway/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying dask-gateway Image Signatures The **dask-gateway** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading dask-gateway Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the dask-gateway image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dask-gateway image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/dask-gateway | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/dask-gateway | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying dask-gateway Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the dask-gateway image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/dask-gateway +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/dask-gateway ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/dask-gateway -- diff --git a/content/chainguard/chainguard-images/reference/deno/provenance_info.md b/content/chainguard/chainguard-images/reference/deno/provenance_info.md index 0fa0ef4aee..ae801ed25f 100644 --- a/content/chainguard/chainguard-images/reference/deno/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/deno/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying deno Image Signatures The **deno** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading deno Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the deno image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the deno image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/deno | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/deno | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying deno Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the deno image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/deno +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/deno ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/deno -- diff --git a/content/chainguard/chainguard-images/reference/dex/provenance_info.md b/content/chainguard/chainguard-images/reference/dex/provenance_info.md index 217e97ce8e..eb049e7c70 100644 --- a/content/chainguard/chainguard-images/reference/dex/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dex/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying dex Image Signatures The **dex** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading dex Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the dex image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dex image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/dex | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/dex | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying dex Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the dex image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/dex +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/dex ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/dex -- diff --git a/content/chainguard/chainguard-images/reference/dive/provenance_info.md b/content/chainguard/chainguard-images/reference/dive/provenance_info.md index 8a607474fa..13e28ab4d6 100644 --- a/content/chainguard/chainguard-images/reference/dive/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dive/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying dive Image Signatures The **dive** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading dive Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the dive image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dive image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/dive | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/dive | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying dive Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the dive image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/dive +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/dive ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/dive -- diff --git a/content/chainguard/chainguard-images/reference/dotnet-runtime/provenance_info.md b/content/chainguard/chainguard-images/reference/dotnet-runtime/provenance_info.md index a5e1981df2..bdd4c51732 100644 --- a/content/chainguard/chainguard-images/reference/dotnet-runtime/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dotnet-runtime/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying dotnet-runtime Image Signatures The **dotnet-runtime** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading dotnet-runtime Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the dotnet-runtime image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dotnet-runtime image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/dotnet-runtime | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/dotnet-runtime | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying dotnet-runtime Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the dotnet-runtime image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/dotnet-runtime +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/dotnet-runtime ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/dotnet-runtime -- diff --git a/content/chainguard/chainguard-images/reference/dotnet-sdk/provenance_info.md b/content/chainguard/chainguard-images/reference/dotnet-sdk/provenance_info.md index 341828a6c1..ebb52a92c4 100644 --- a/content/chainguard/chainguard-images/reference/dotnet-sdk/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dotnet-sdk/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying dotnet-sdk Image Signatures The **dotnet-sdk** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading dotnet-sdk Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the dotnet-sdk image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dotnet-sdk image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/dotnet-sdk | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/dotnet-sdk | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying dotnet-sdk Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the dotnet-sdk image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/dotnet-sdk +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/dotnet-sdk ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/dotnet-sdk -- diff --git a/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/provenance_info.md b/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/provenance_info.md index fc1666075e..a0ab3417b5 100644 --- a/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying dynamic-localpv-provisioner Image Signatures The **dynamic-localpv-provisioner** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading dynamic-localpv-provisioner Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the dynamic-localpv-provisioner image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dynamic-localpv-provisioner image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/dynamic-localpv-provisioner | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/dynamic-localpv-provisioner | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying dynamic-localpv-provisioner Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the dynamic-localpv-provisioner image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/dynamic-localpv-provisioner +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/dynamic-localpv-provisioner ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/dynamic-localpv-provisioner -- diff --git a/content/chainguard/chainguard-images/reference/envoy-ratelimit/provenance_info.md b/content/chainguard/chainguard-images/reference/envoy-ratelimit/provenance_info.md index 54c4a1dc8d..c1c79a81fd 100644 --- a/content/chainguard/chainguard-images/reference/envoy-ratelimit/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/envoy-ratelimit/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying envoy-ratelimit Image Signatures The **envoy-ratelimit** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading envoy-ratelimit Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the envoy-ratelimit image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the envoy-ratelimit image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/envoy-ratelimit | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/envoy-ratelimit | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying envoy-ratelimit Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the envoy-ratelimit image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/envoy-ratelimit +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/envoy-ratelimit ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/envoy-ratelimit -- diff --git a/content/chainguard/chainguard-images/reference/envoy/provenance_info.md b/content/chainguard/chainguard-images/reference/envoy/provenance_info.md index e8062c10e7..fb9a68766c 100644 --- a/content/chainguard/chainguard-images/reference/envoy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/envoy/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying envoy Image Signatures The **envoy** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading envoy Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the envoy image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the envoy image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/envoy | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/envoy | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying envoy Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the envoy image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/envoy +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/envoy ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/envoy -- diff --git a/content/chainguard/chainguard-images/reference/etcd/provenance_info.md b/content/chainguard/chainguard-images/reference/etcd/provenance_info.md index f76c7a8e0e..86bc7829ba 100644 --- a/content/chainguard/chainguard-images/reference/etcd/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/etcd/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying etcd Image Signatures The **etcd** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading etcd Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the etcd image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the etcd image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/etcd | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/etcd | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying etcd Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the etcd image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/etcd +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/etcd ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/etcd -- diff --git a/content/chainguard/chainguard-images/reference/external-dns/provenance_info.md b/content/chainguard/chainguard-images/reference/external-dns/provenance_info.md index 7ce7fe767b..b454391d90 100644 --- a/content/chainguard/chainguard-images/reference/external-dns/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/external-dns/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying external-dns Image Signatures The **external-dns** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading external-dns Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the external-dns image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the external-dns image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/external-dns | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/external-dns | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying external-dns Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the external-dns image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/external-dns +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/external-dns ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/external-dns -- diff --git a/content/chainguard/chainguard-images/reference/external-secrets/provenance_info.md b/content/chainguard/chainguard-images/reference/external-secrets/provenance_info.md index 863a9e0d13..1a202c5989 100644 --- a/content/chainguard/chainguard-images/reference/external-secrets/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/external-secrets/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying external-secrets Image Signatures The **external-secrets** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading external-secrets Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the external-secrets image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the external-secrets image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/external-secrets | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/external-secrets | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying external-secrets Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the external-secrets image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/external-secrets +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/external-secrets ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/external-secrets -- diff --git a/content/chainguard/chainguard-images/reference/falcoctl/provenance_info.md b/content/chainguard/chainguard-images/reference/falcoctl/provenance_info.md index c8c9f63c1f..72cff9235c 100644 --- a/content/chainguard/chainguard-images/reference/falcoctl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/falcoctl/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying falcoctl Image Signatures The **falcoctl** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading falcoctl Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the falcoctl image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the falcoctl image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/falcoctl | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/falcoctl | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying falcoctl Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the falcoctl image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/falcoctl +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/falcoctl ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/falcoctl -- diff --git a/content/chainguard/chainguard-images/reference/ffmpeg/provenance_info.md b/content/chainguard/chainguard-images/reference/ffmpeg/provenance_info.md index 987f5cd87c..5e22462ebc 100644 --- a/content/chainguard/chainguard-images/reference/ffmpeg/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ffmpeg/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying ffmpeg Image Signatures The **ffmpeg** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading ffmpeg Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the ffmpeg image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ffmpeg image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/ffmpeg | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/ffmpeg | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying ffmpeg Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the ffmpeg image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/ffmpeg +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/ffmpeg ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/ffmpeg -- diff --git a/content/chainguard/chainguard-images/reference/fluent-bit/provenance_info.md b/content/chainguard/chainguard-images/reference/fluent-bit/provenance_info.md index 6d47887963..f3fd137f7e 100644 --- a/content/chainguard/chainguard-images/reference/fluent-bit/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/fluent-bit/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying fluent-bit Image Signatures The **fluent-bit** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading fluent-bit Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the fluent-bit image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the fluent-bit image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/fluent-bit | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/fluent-bit | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying fluent-bit Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the fluent-bit image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/fluent-bit +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/fluent-bit ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/fluent-bit -- diff --git a/content/chainguard/chainguard-images/reference/fluentd/provenance_info.md b/content/chainguard/chainguard-images/reference/fluentd/provenance_info.md index f851fc7964..50f5351f3e 100644 --- a/content/chainguard/chainguard-images/reference/fluentd/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/fluentd/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying fluentd Image Signatures The **fluentd** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading fluentd Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the fluentd image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the fluentd image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/fluentd | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/fluentd | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying fluentd Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the fluentd image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/fluentd +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/fluentd ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/fluentd -- diff --git a/content/chainguard/chainguard-images/reference/fluentd/tags_history.md b/content/chainguard/chainguard-images/reference/fluentd/tags_history.md index a5c269b04e..94e511fc2d 100644 --- a/content/chainguard/chainguard-images/reference/fluentd/tags_history.md +++ b/content/chainguard/chainguard-images/reference/fluentd/tags_history.md @@ -25,8 +25,8 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |----------------------|--------------|---------------------------------------------------------------------------| +| `latest-splunk-dev` | November 8th | `sha256:1767ade6b9ab48aee4bfd55179debe6c171270d9487b3665555e4d53255611fd` | +| `latest-splunk` | November 8th | `sha256:eb02e4092b7dbb428f861936fa76f61bdb7dd8e816b1eb8648989c0eba3a95d8` | | `latest` | November 7th | `sha256:139e8a2cb19b155f4a8788ff27f27b26fdfeb8a3d86554d98b11dd75ccf62c3f` | | `latest-dev` | November 7th | `sha256:74e76cdb69f68052689e5c8f974effa28e45d6b5d0bc95fd174504716f64c91a` | -| `latest-splunk-dev` | November 7th | `sha256:1af123e251b09d53d6dd09cd5dcd18f8d818e761dd7633e537e8969184228b0e` | -| `latest-splunk` | November 7th | `sha256:bbe9534c8a5a6a48fff9fce5dbe94b44c8aeb50db98dcac5bc4f3b2c6c26ab90` | diff --git a/content/chainguard/chainguard-images/reference/flux-helm-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-helm-controller/provenance_info.md index d97b1e81f6..3e68038192 100644 --- a/content/chainguard/chainguard-images/reference/flux-helm-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-helm-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying flux-helm-controller Image Signatures The **flux-helm-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading flux-helm-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the flux-helm-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-helm-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/flux-helm-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/flux-helm-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying flux-helm-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the flux-helm-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/flux-helm-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/flux-helm-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/flux-helm-controller -- diff --git a/content/chainguard/chainguard-images/reference/flux-image-automation-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-image-automation-controller/provenance_info.md index ef09f954d5..3614aa63d1 100644 --- a/content/chainguard/chainguard-images/reference/flux-image-automation-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-image-automation-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying flux-image-automation-controller Image Signatures The **flux-image-automation-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading flux-image-automation-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the flux-image-automation-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-image-automation-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/flux-image-automation-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/flux-image-automation-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying flux-image-automation-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the flux-image-automation-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/flux-image-automation-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/flux-image-automation-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/flux-image-automation-controller -- diff --git a/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/provenance_info.md index 0c98d4a373..8523a21fd8 100644 --- a/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying flux-image-reflector-controller Image Signatures The **flux-image-reflector-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading flux-image-reflector-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the flux-image-reflector-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-image-reflector-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/flux-image-reflector-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/flux-image-reflector-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying flux-image-reflector-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the flux-image-reflector-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/flux-image-reflector-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/flux-image-reflector-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/flux-image-reflector-controller -- diff --git a/content/chainguard/chainguard-images/reference/flux-kustomize-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-kustomize-controller/provenance_info.md index dceb584f6b..9d933cf0ef 100644 --- a/content/chainguard/chainguard-images/reference/flux-kustomize-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-kustomize-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying flux-kustomize-controller Image Signatures The **flux-kustomize-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading flux-kustomize-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the flux-kustomize-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-kustomize-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/flux-kustomize-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/flux-kustomize-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying flux-kustomize-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the flux-kustomize-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/flux-kustomize-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/flux-kustomize-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/flux-kustomize-controller -- diff --git a/content/chainguard/chainguard-images/reference/flux-notification-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-notification-controller/provenance_info.md index 43053108f6..cd995c48b1 100644 --- a/content/chainguard/chainguard-images/reference/flux-notification-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-notification-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying flux-notification-controller Image Signatures The **flux-notification-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading flux-notification-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the flux-notification-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-notification-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/flux-notification-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/flux-notification-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying flux-notification-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the flux-notification-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/flux-notification-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/flux-notification-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/flux-notification-controller -- diff --git a/content/chainguard/chainguard-images/reference/flux-source-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-source-controller/provenance_info.md index 7058cb52c3..61a9d9655d 100644 --- a/content/chainguard/chainguard-images/reference/flux-source-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-source-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying flux-source-controller Image Signatures The **flux-source-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading flux-source-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the flux-source-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-source-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/flux-source-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/flux-source-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying flux-source-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the flux-source-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/flux-source-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/flux-source-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/flux-source-controller -- diff --git a/content/chainguard/chainguard-images/reference/flux/provenance_info.md b/content/chainguard/chainguard-images/reference/flux/provenance_info.md index 74d1899b41..5484061aa4 100644 --- a/content/chainguard/chainguard-images/reference/flux/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying flux Image Signatures The **flux** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading flux Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the flux image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/flux | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/flux | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying flux Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the flux image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/flux +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/flux ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/flux -- diff --git a/content/chainguard/chainguard-images/reference/fulcio/provenance_info.md b/content/chainguard/chainguard-images/reference/fulcio/provenance_info.md index 15a96df7e8..c0a7b050fc 100644 --- a/content/chainguard/chainguard-images/reference/fulcio/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/fulcio/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying fulcio Image Signatures The **fulcio** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading fulcio Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the fulcio image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the fulcio image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/fulcio | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/fulcio | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying fulcio Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the fulcio image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/fulcio +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/fulcio ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/fulcio -- diff --git a/content/chainguard/chainguard-images/reference/gatekeeper/provenance_info.md b/content/chainguard/chainguard-images/reference/gatekeeper/provenance_info.md index 1b9621208b..373fbf1678 100644 --- a/content/chainguard/chainguard-images/reference/gatekeeper/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gatekeeper/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying gatekeeper Image Signatures The **gatekeeper** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading gatekeeper Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the gatekeeper image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gatekeeper image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/gatekeeper | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/gatekeeper | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying gatekeeper Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the gatekeeper image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/gatekeeper +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/gatekeeper ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/gatekeeper -- diff --git a/content/chainguard/chainguard-images/reference/gcc-glibc/provenance_info.md b/content/chainguard/chainguard-images/reference/gcc-glibc/provenance_info.md index 085a1ed8fb..592b265c81 100644 --- a/content/chainguard/chainguard-images/reference/gcc-glibc/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gcc-glibc/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying gcc-glibc Image Signatures The **gcc-glibc** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading gcc-glibc Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the gcc-glibc image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gcc-glibc image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/gcc-glibc | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/gcc-glibc | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying gcc-glibc Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the gcc-glibc image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/gcc-glibc +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/gcc-glibc ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/gcc-glibc -- diff --git a/content/chainguard/chainguard-images/reference/git/provenance_info.md b/content/chainguard/chainguard-images/reference/git/provenance_info.md index 454566ed77..e3f8b2348d 100644 --- a/content/chainguard/chainguard-images/reference/git/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/git/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying git Image Signatures The **git** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading git Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the git image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the git image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/git | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/git | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying git Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the git image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/git +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/git ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/git -- diff --git a/content/chainguard/chainguard-images/reference/git/tags_history.md b/content/chainguard/chainguard-images/reference/git/tags_history.md index 7e84aaa36c..a57ca7a13b 100644 --- a/content/chainguard/chainguard-images/reference/git/tags_history.md +++ b/content/chainguard/chainguard-images/reference/git/tags_history.md @@ -25,10 +25,10 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |--------------------------|--------------|---------------------------------------------------------------------------| -| `latest-root` | November 7th | `sha256:1302d8d9e5fd9676ba5dde01fe19936839051f06d1da37acf9a12fc3b9cfd599` | -| `latest-dev` | November 7th | `sha256:42f879d1936d403e40dc918d79bc59427e616316894f950d9c434f3641b34374` | -| `latest-root-dev` | November 7th | `sha256:5f1420adabe1a7d2bf75510c697429351bf59a8c68dad379bceec3c511cf219a` | -| `latest` | November 7th | `sha256:ccc07c3c3141ef68fd008593d0ad694141c497cb10ab853aae50c752f4b465d1` | +| `latest-root-dev` | November 8th | `sha256:b969be2fda23a14046a4606df538a4f3a8d8b71f0140ee5e45708b5e87c40e84` | +| `latest-root` | November 8th | `sha256:000915c2b501398e6599f6d4b7dc86907f517d11046a43920cb59a8178bc6a69` | +| `latest` | November 8th | `sha256:1bf68691ace95197ea13bbd9e42a03431ea6bda02b5918a2bf1b721bf130aac8` | +| `latest-dev` | November 8th | `sha256:1d80374e81656083971cdd41672806407addfd60f5124f0b8b8c5824dddd21f1` | | `latest-glibc-dev` | November 7th | `sha256:b9f35cc9ba8d502ac2c41058b01f64a065eba4b479eb73dfda589b109d52bead` | | `latest-glibc-root` | November 7th | `sha256:7b8cc2438ec722123981e158905c5f51e071b969559a22539ee5550f24e64d8c` | | `latest-glibc` | November 7th | `sha256:1b8cab44e875a98241980fc93bb78c9083149582a88d7fb07225259be5f269b0` | diff --git a/content/chainguard/chainguard-images/reference/gitlab-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/gitlab-exporter/provenance_info.md index 51508b495f..3a65bb6307 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitlab-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying gitlab-exporter Image Signatures The **gitlab-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading gitlab-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the gitlab-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/gitlab-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/gitlab-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying gitlab-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the gitlab-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/gitlab-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/gitlab-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/gitlab-exporter -- diff --git a/content/chainguard/chainguard-images/reference/gitlab-kas/provenance_info.md b/content/chainguard/chainguard-images/reference/gitlab-kas/provenance_info.md index 54df52507f..ff6bded456 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-kas/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitlab-kas/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying gitlab-kas Image Signatures The **gitlab-kas** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading gitlab-kas Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the gitlab-kas image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-kas image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/gitlab-kas | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/gitlab-kas | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying gitlab-kas Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the gitlab-kas image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/gitlab-kas +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/gitlab-kas ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/gitlab-kas -- diff --git a/content/chainguard/chainguard-images/reference/gitlab-pages/provenance_info.md b/content/chainguard/chainguard-images/reference/gitlab-pages/provenance_info.md index 9d28a3f8db..37a88dfe9b 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-pages/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitlab-pages/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying gitlab-pages Image Signatures The **gitlab-pages** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading gitlab-pages Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the gitlab-pages image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-pages image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/gitlab-pages | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/gitlab-pages | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying gitlab-pages Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the gitlab-pages image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/gitlab-pages +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/gitlab-pages ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/gitlab-pages -- diff --git a/content/chainguard/chainguard-images/reference/gitlab-shell/provenance_info.md b/content/chainguard/chainguard-images/reference/gitlab-shell/provenance_info.md index 7dae421d9a..a9004ffaff 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-shell/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitlab-shell/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying gitlab-shell Image Signatures The **gitlab-shell** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading gitlab-shell Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the gitlab-shell image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-shell image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/gitlab-shell | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/gitlab-shell | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying gitlab-shell Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the gitlab-shell image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/gitlab-shell +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/gitlab-shell ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/gitlab-shell -- diff --git a/content/chainguard/chainguard-images/reference/gitness/provenance_info.md b/content/chainguard/chainguard-images/reference/gitness/provenance_info.md index dd43d881f0..4279987184 100644 --- a/content/chainguard/chainguard-images/reference/gitness/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitness/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying gitness Image Signatures The **gitness** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading gitness Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the gitness image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitness image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/gitness | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/gitness | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying gitness Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the gitness image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/gitness +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/gitness ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/gitness -- diff --git a/content/chainguard/chainguard-images/reference/glibc-dynamic/provenance_info.md b/content/chainguard/chainguard-images/reference/glibc-dynamic/provenance_info.md index d202dd75bc..4747bb5f95 100644 --- a/content/chainguard/chainguard-images/reference/glibc-dynamic/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/glibc-dynamic/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying glibc-dynamic Image Signatures The **glibc-dynamic** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading glibc-dynamic Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the glibc-dynamic image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the glibc-dynamic image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/glibc-dynamic | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/glibc-dynamic | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying glibc-dynamic Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the glibc-dynamic image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/glibc-dynamic +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/glibc-dynamic ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/glibc-dynamic -- diff --git a/content/chainguard/chainguard-images/reference/go/provenance_info.md b/content/chainguard/chainguard-images/reference/go/provenance_info.md index 711054adbb..03ee376f5d 100644 --- a/content/chainguard/chainguard-images/reference/go/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/go/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying go Image Signatures The **go** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading go Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the go image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the go image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/go | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/go | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying go Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the go image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/go +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/go ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/go -- diff --git a/content/chainguard/chainguard-images/reference/go/tags_history.md b/content/chainguard/chainguard-images/reference/go/tags_history.md index 1e400c4deb..ead03e6169 100644 --- a/content/chainguard/chainguard-images/reference/go/tags_history.md +++ b/content/chainguard/chainguard-images/reference/go/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:72d4cfa52163be009786c6acbb8d676cea4b743b3288db52040df2d47ed7d151` | -| `latest` | November 7th | `sha256:dbe9e9dfc1e7c9cc206f0689dae344030b78e45f3328ffd96f7a880cd8f142a6` | +| `latest` | November 8th | `sha256:05c643e3683112900554f31bdfa7a351046d9ca77516af7366a8c276d1ec97f5` | +| `latest-dev` | November 8th | `sha256:8707f1538ffe840351e7e730ffe5d4dfa092f179df59a16024dc192e9ee5dd4f` | diff --git a/content/chainguard/chainguard-images/reference/google-cloud-sdk/provenance_info.md b/content/chainguard/chainguard-images/reference/google-cloud-sdk/provenance_info.md index b69f9b5174..61cea64f3d 100644 --- a/content/chainguard/chainguard-images/reference/google-cloud-sdk/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/google-cloud-sdk/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying google-cloud-sdk Image Signatures The **google-cloud-sdk** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading google-cloud-sdk Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the google-cloud-sdk image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the google-cloud-sdk image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/google-cloud-sdk | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/google-cloud-sdk | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying google-cloud-sdk Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the google-cloud-sdk image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/google-cloud-sdk +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/google-cloud-sdk ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/google-cloud-sdk -- diff --git a/content/chainguard/chainguard-images/reference/graalvm-native/provenance_info.md b/content/chainguard/chainguard-images/reference/graalvm-native/provenance_info.md index 81314c5d02..3aacea944e 100644 --- a/content/chainguard/chainguard-images/reference/graalvm-native/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/graalvm-native/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying graalvm-native Image Signatures The **graalvm-native** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading graalvm-native Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the graalvm-native image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the graalvm-native image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/graalvm-native | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/graalvm-native | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying graalvm-native Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the graalvm-native image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/graalvm-native +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/graalvm-native ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/graalvm-native -- diff --git a/content/chainguard/chainguard-images/reference/gradle/provenance_info.md b/content/chainguard/chainguard-images/reference/gradle/provenance_info.md index a4b70f27f9..73bc950eb6 100644 --- a/content/chainguard/chainguard-images/reference/gradle/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gradle/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying gradle Image Signatures The **gradle** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading gradle Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the gradle image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gradle image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/gradle | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/gradle | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying gradle Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the gradle image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/gradle +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/gradle ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/gradle -- diff --git a/content/chainguard/chainguard-images/reference/grype/provenance_info.md b/content/chainguard/chainguard-images/reference/grype/provenance_info.md index b3c9281280..5b61ca7ddf 100644 --- a/content/chainguard/chainguard-images/reference/grype/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/grype/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying grype Image Signatures The **grype** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading grype Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the grype image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the grype image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/grype | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/grype | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying grype Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the grype image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/grype +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/grype ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/grype -- diff --git a/content/chainguard/chainguard-images/reference/guacamole-server/provenance_info.md b/content/chainguard/chainguard-images/reference/guacamole-server/provenance_info.md index 1abc4aa4c6..0d18c8ca43 100644 --- a/content/chainguard/chainguard-images/reference/guacamole-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/guacamole-server/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying guacamole-server Image Signatures The **guacamole-server** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading guacamole-server Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the guacamole-server image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the guacamole-server image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/guacamole-server | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/guacamole-server | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying guacamole-server Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the guacamole-server image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/guacamole-server +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/guacamole-server ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/guacamole-server -- diff --git a/content/chainguard/chainguard-images/reference/haproxy-ingress/provenance_info.md b/content/chainguard/chainguard-images/reference/haproxy-ingress/provenance_info.md index 31f59455f3..e9038205fa 100644 --- a/content/chainguard/chainguard-images/reference/haproxy-ingress/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/haproxy-ingress/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying haproxy-ingress Image Signatures The **haproxy-ingress** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading haproxy-ingress Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the haproxy-ingress image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the haproxy-ingress image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/haproxy-ingress | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/haproxy-ingress | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying haproxy-ingress Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the haproxy-ingress image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/haproxy-ingress +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/haproxy-ingress ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/haproxy-ingress -- diff --git a/content/chainguard/chainguard-images/reference/haproxy/provenance_info.md b/content/chainguard/chainguard-images/reference/haproxy/provenance_info.md index fd8ca8a9d8..36479b1880 100644 --- a/content/chainguard/chainguard-images/reference/haproxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/haproxy/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying haproxy Image Signatures The **haproxy** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading haproxy Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the haproxy image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the haproxy image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/haproxy | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/haproxy | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying haproxy Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the haproxy image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/haproxy +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/haproxy ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/haproxy -- diff --git a/content/chainguard/chainguard-images/reference/helm-chartmuseum/provenance_info.md b/content/chainguard/chainguard-images/reference/helm-chartmuseum/provenance_info.md index 069478fa1c..7304bf67ca 100644 --- a/content/chainguard/chainguard-images/reference/helm-chartmuseum/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/helm-chartmuseum/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying helm-chartmuseum Image Signatures The **helm-chartmuseum** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading helm-chartmuseum Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the helm-chartmuseum image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the helm-chartmuseum image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/helm-chartmuseum | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/helm-chartmuseum | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying helm-chartmuseum Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the helm-chartmuseum image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/helm-chartmuseum +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/helm-chartmuseum ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/helm-chartmuseum -- diff --git a/content/chainguard/chainguard-images/reference/helm/provenance_info.md b/content/chainguard/chainguard-images/reference/helm/provenance_info.md index a7085b5c8c..b262230bc9 100644 --- a/content/chainguard/chainguard-images/reference/helm/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/helm/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying helm Image Signatures The **helm** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading helm Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the helm image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the helm image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/helm | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/helm | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying helm Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the helm image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/helm +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/helm ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/helm -- diff --git a/content/chainguard/chainguard-images/reference/helm/tags_history.md b/content/chainguard/chainguard-images/reference/helm/tags_history.md index 04643c6f32..318c1cdeae 100644 --- a/content/chainguard/chainguard-images/reference/helm/tags_history.md +++ b/content/chainguard/chainguard-images/reference/helm/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:9765e6e482f184b3bbf2f04652ffb197d75bd3d0616b261ca21121f9e88794d3` | -| `latest` | October 30th | `sha256:b6cf9993db824ff5a383e9be0ed45478be2e88962ff9ce4bd73b633dc4a85fa8` | +| `latest` | November 8th | `sha256:c24f6bf99d7ce53dd2c8df515f3f66f84143fb88b8c7a5cc3e637467a5ccb464` | +| `latest-dev` | November 8th | `sha256:77ebbe9f9c76df1826a14d481b4218e182e39f69f87b121e061b2cc090111d01` | diff --git a/content/chainguard/chainguard-images/reference/http-echo/provenance_info.md b/content/chainguard/chainguard-images/reference/http-echo/provenance_info.md index f6c7364855..346ce41bbe 100644 --- a/content/chainguard/chainguard-images/reference/http-echo/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/http-echo/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying http-echo Image Signatures The **http-echo** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading http-echo Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the http-echo image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the http-echo image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/http-echo | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/http-echo | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying http-echo Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the http-echo image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/http-echo +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/http-echo ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/http-echo -- diff --git a/content/chainguard/chainguard-images/reference/hugo/provenance_info.md b/content/chainguard/chainguard-images/reference/hugo/provenance_info.md index 5d7b5d03b3..2566f6609f 100644 --- a/content/chainguard/chainguard-images/reference/hugo/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/hugo/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying hugo Image Signatures The **hugo** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading hugo Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the hugo image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the hugo image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/hugo | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/hugo | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying hugo Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the hugo image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/hugo +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/hugo ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/hugo -- diff --git a/content/chainguard/chainguard-images/reference/influxdb/provenance_info.md b/content/chainguard/chainguard-images/reference/influxdb/provenance_info.md index 5469f85606..f63cd47cd6 100644 --- a/content/chainguard/chainguard-images/reference/influxdb/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/influxdb/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying influxdb Image Signatures The **influxdb** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading influxdb Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the influxdb image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the influxdb image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/influxdb | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/influxdb | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying influxdb Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the influxdb image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/influxdb +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/influxdb ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/influxdb -- diff --git a/content/chainguard/chainguard-images/reference/influxdb/tags_history.md b/content/chainguard/chainguard-images/reference/influxdb/tags_history.md index 63b39bc8a9..e59feb6aaa 100644 --- a/content/chainguard/chainguard-images/reference/influxdb/tags_history.md +++ b/content/chainguard/chainguard-images/reference/influxdb/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:56019c0c2b048721e594d69df2f4d820bd2898fb9eeaa0057459514ba775ee9d` | -| `latest` | October 30th | `sha256:6729111fd0b69663d70783a313126a14980a3a6e501c3d5ea59d5e06dc8d8854` | +| `latest-dev` | November 8th | `sha256:19736caa8fc932a616e15a0c1be8dbad8b6e64635b8c1a643fb476fa4b619b96` | +| `latest` | November 8th | `sha256:b47ea6baf880d1b9955dbb90c07f63c7075b17a37dc5e0cc1bcb36a6555ffb61` | diff --git a/content/chainguard/chainguard-images/reference/ingress-nginx-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/ingress-nginx-controller/provenance_info.md index a323dc4305..ddfad0b8fd 100644 --- a/content/chainguard/chainguard-images/reference/ingress-nginx-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ingress-nginx-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying ingress-nginx-controller Image Signatures The **ingress-nginx-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading ingress-nginx-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the ingress-nginx-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ingress-nginx-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/ingress-nginx-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/ingress-nginx-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying ingress-nginx-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the ingress-nginx-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/ingress-nginx-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/ingress-nginx-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/ingress-nginx-controller -- diff --git a/content/chainguard/chainguard-images/reference/ingress-nginx-controller/tags_history.md b/content/chainguard/chainguard-images/reference/ingress-nginx-controller/tags_history.md index e4675317ad..3ff4425c3a 100644 --- a/content/chainguard/chainguard-images/reference/ingress-nginx-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ingress-nginx-controller/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest` | November 7th | `sha256:2b977da1e0eed6d6696373200c70870a967b8a434114b764e2e3209e3f3b5e0c` | -| `latest-dev` | November 7th | `sha256:349a681405f0ca1378f79637898d54c31dd7a3482e98b71da57b561b52e2c4d1` | +| `latest` | November 8th | `sha256:c24d5a50c0bc504f1d4f03aa68c7c1018265f7fe79b27b1e5041421562c9dd93` | +| `latest-dev` | November 8th | `sha256:3ca5691a0b46b6ad88eee3bb5b7f70a8776407472e12f332a438477e15163590` | diff --git a/content/chainguard/chainguard-images/reference/ip-masq-agent/provenance_info.md b/content/chainguard/chainguard-images/reference/ip-masq-agent/provenance_info.md index ece35bb984..09bcd43e6b 100644 --- a/content/chainguard/chainguard-images/reference/ip-masq-agent/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ip-masq-agent/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying ip-masq-agent Image Signatures The **ip-masq-agent** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading ip-masq-agent Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the ip-masq-agent image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ip-masq-agent image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/ip-masq-agent | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/ip-masq-agent | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying ip-masq-agent Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the ip-masq-agent image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/ip-masq-agent +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/ip-masq-agent ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/ip-masq-agent -- diff --git a/content/chainguard/chainguard-images/reference/ip-masq-agent/tags_history.md b/content/chainguard/chainguard-images/reference/ip-masq-agent/tags_history.md index b0d43313dc..7b33e7827f 100644 --- a/content/chainguard/chainguard-images/reference/ip-masq-agent/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ip-masq-agent/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:f0c44e701f5ec86194395b9ba9d369d87a83bcbcda885174d1dcfc98153333b1` | -| `latest` | October 30th | `sha256:3bd76ddd80f260ab1611e5674252e1ae284e7f4f1e03779b225b77b90be3708e` | +| `latest-dev` | November 8th | `sha256:679ca78568ec0602812ca22a45861713993efc3465d2fcd3a5155b760b57299f` | +| `latest` | November 8th | `sha256:fc4b15929dc5d5760929d010a1d66d5f4ccc08f0fb77650c4da70556616bd218` | diff --git a/content/chainguard/chainguard-images/reference/istio-install-cni/provenance_info.md b/content/chainguard/chainguard-images/reference/istio-install-cni/provenance_info.md index 915424e1eb..1c8544f53f 100644 --- a/content/chainguard/chainguard-images/reference/istio-install-cni/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/istio-install-cni/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying istio-install-cni Image Signatures The **istio-install-cni** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading istio-install-cni Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the istio-install-cni image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-install-cni image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/istio-install-cni | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/istio-install-cni | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying istio-install-cni Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the istio-install-cni image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/istio-install-cni +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/istio-install-cni ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/istio-install-cni -- diff --git a/content/chainguard/chainguard-images/reference/istio-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/istio-operator/provenance_info.md index 4fb65f015e..e9a522a317 100644 --- a/content/chainguard/chainguard-images/reference/istio-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/istio-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying istio-operator Image Signatures The **istio-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading istio-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the istio-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/istio-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/istio-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying istio-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the istio-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/istio-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/istio-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/istio-operator -- diff --git a/content/chainguard/chainguard-images/reference/istio-pilot/provenance_info.md b/content/chainguard/chainguard-images/reference/istio-pilot/provenance_info.md index e1b32e7d31..f3e71f47fb 100644 --- a/content/chainguard/chainguard-images/reference/istio-pilot/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/istio-pilot/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying istio-pilot Image Signatures The **istio-pilot** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading istio-pilot Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the istio-pilot image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-pilot image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/istio-pilot | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/istio-pilot | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying istio-pilot Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the istio-pilot image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/istio-pilot +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/istio-pilot ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/istio-pilot -- diff --git a/content/chainguard/chainguard-images/reference/istio-proxy/provenance_info.md b/content/chainguard/chainguard-images/reference/istio-proxy/provenance_info.md index c8f5040b0e..cc0fb2c165 100644 --- a/content/chainguard/chainguard-images/reference/istio-proxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/istio-proxy/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying istio-proxy Image Signatures The **istio-proxy** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading istio-proxy Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the istio-proxy image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-proxy image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/istio-proxy | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/istio-proxy | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying istio-proxy Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the istio-proxy image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/istio-proxy +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/istio-proxy ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/istio-proxy -- diff --git a/content/chainguard/chainguard-images/reference/jdk-lts/provenance_info.md b/content/chainguard/chainguard-images/reference/jdk-lts/provenance_info.md index 9034dcad7c..b531215f0d 100644 --- a/content/chainguard/chainguard-images/reference/jdk-lts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jdk-lts/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying jdk-lts Image Signatures The **jdk-lts** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading jdk-lts Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the jdk-lts image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jdk-lts image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/jdk-lts | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/jdk-lts | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying jdk-lts Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the jdk-lts image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/jdk-lts +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/jdk-lts ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/jdk-lts -- diff --git a/content/chainguard/chainguard-images/reference/jdk/provenance_info.md b/content/chainguard/chainguard-images/reference/jdk/provenance_info.md index 0416d7d8cf..e39d7ccdba 100644 --- a/content/chainguard/chainguard-images/reference/jdk/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jdk/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying jdk Image Signatures The **jdk** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading jdk Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the jdk image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jdk image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/jdk | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/jdk | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying jdk Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the jdk image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/jdk +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/jdk ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/jdk -- diff --git a/content/chainguard/chainguard-images/reference/jenkins/provenance_info.md b/content/chainguard/chainguard-images/reference/jenkins/provenance_info.md index 4013c51b4a..3eaf0d3fc3 100644 --- a/content/chainguard/chainguard-images/reference/jenkins/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jenkins/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying jenkins Image Signatures The **jenkins** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading jenkins Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the jenkins image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jenkins image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/jenkins | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/jenkins | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying jenkins Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the jenkins image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/jenkins +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/jenkins ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/jenkins -- diff --git a/content/chainguard/chainguard-images/reference/jenkins/tags_history.md b/content/chainguard/chainguard-images/reference/jenkins/tags_history.md index 33599490a9..6bef65d91d 100644 --- a/content/chainguard/chainguard-images/reference/jenkins/tags_history.md +++ b/content/chainguard/chainguard-images/reference/jenkins/tags_history.md @@ -25,5 +25,5 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |-----------|--------------|---------------------------------------------------------------------------| -| `latest` | November 1st | `sha256:fdc49d87928dba935e4a7db661ac2a1cc3972a3230646e505c2dc6f6c93a56fc` | +| `latest` | November 8th | `sha256:e5990bf2d19de4cd348c60d84ff42934c865def9be4d0790fd7cbf3af7b4a528` | diff --git a/content/chainguard/chainguard-images/reference/jre-lts/provenance_info.md b/content/chainguard/chainguard-images/reference/jre-lts/provenance_info.md index 8444e12697..8d7552ad8e 100644 --- a/content/chainguard/chainguard-images/reference/jre-lts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jre-lts/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying jre-lts Image Signatures The **jre-lts** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading jre-lts Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the jre-lts image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jre-lts image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/jre-lts | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/jre-lts | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying jre-lts Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the jre-lts image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/jre-lts +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/jre-lts ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/jre-lts -- diff --git a/content/chainguard/chainguard-images/reference/jre/provenance_info.md b/content/chainguard/chainguard-images/reference/jre/provenance_info.md index 5071d803b4..d9773f3327 100644 --- a/content/chainguard/chainguard-images/reference/jre/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jre/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying jre Image Signatures The **jre** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading jre Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the jre image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jre image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/jre | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/jre | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying jre Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the jre image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/jre +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/jre ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/jre -- diff --git a/content/chainguard/chainguard-images/reference/k3s-allinone/provenance_info.md b/content/chainguard/chainguard-images/reference/k3s-allinone/provenance_info.md index 54348854a2..48da751d92 100644 --- a/content/chainguard/chainguard-images/reference/k3s-allinone/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k3s-allinone/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying k3s-allinone Image Signatures The **k3s-allinone** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading k3s-allinone Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the k3s-allinone image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k3s-allinone image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/k3s-allinone | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/k3s-allinone | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying k3s-allinone Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the k3s-allinone image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/k3s-allinone +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/k3s-allinone ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/k3s-allinone -- diff --git a/content/chainguard/chainguard-images/reference/k3s/provenance_info.md b/content/chainguard/chainguard-images/reference/k3s/provenance_info.md index 7abfe7b729..f3cbfe2b34 100644 --- a/content/chainguard/chainguard-images/reference/k3s/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k3s/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying k3s Image Signatures The **k3s** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading k3s Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the k3s image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k3s image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/k3s | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/k3s | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying k3s Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the k3s image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/k3s +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/k3s ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/k3s -- diff --git a/content/chainguard/chainguard-images/reference/k8s-sidecar/provenance_info.md b/content/chainguard/chainguard-images/reference/k8s-sidecar/provenance_info.md index 6ff310de02..b05d85e3a4 100644 --- a/content/chainguard/chainguard-images/reference/k8s-sidecar/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k8s-sidecar/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying k8s-sidecar Image Signatures The **k8s-sidecar** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading k8s-sidecar Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the k8s-sidecar image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k8s-sidecar image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/k8s-sidecar | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/k8s-sidecar | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying k8s-sidecar Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the k8s-sidecar image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/k8s-sidecar +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/k8s-sidecar ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/k8s-sidecar -- diff --git a/content/chainguard/chainguard-images/reference/k8sgpt-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/k8sgpt-operator/provenance_info.md index a8db463300..50ab897dcd 100644 --- a/content/chainguard/chainguard-images/reference/k8sgpt-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k8sgpt-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying k8sgpt-operator Image Signatures The **k8sgpt-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading k8sgpt-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the k8sgpt-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k8sgpt-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/k8sgpt-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/k8sgpt-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying k8sgpt-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the k8sgpt-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/k8sgpt-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/k8sgpt-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/k8sgpt-operator -- diff --git a/content/chainguard/chainguard-images/reference/k8sgpt/provenance_info.md b/content/chainguard/chainguard-images/reference/k8sgpt/provenance_info.md index a687471150..dd0d60c961 100644 --- a/content/chainguard/chainguard-images/reference/k8sgpt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k8sgpt/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying k8sgpt Image Signatures The **k8sgpt** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading k8sgpt Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the k8sgpt image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k8sgpt image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/k8sgpt | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/k8sgpt | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying k8sgpt Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the k8sgpt image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/k8sgpt +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/k8sgpt ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/k8sgpt -- diff --git a/content/chainguard/chainguard-images/reference/kafka/provenance_info.md b/content/chainguard/chainguard-images/reference/kafka/provenance_info.md index e9841952d4..7b62103f1c 100644 --- a/content/chainguard/chainguard-images/reference/kafka/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kafka/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kafka Image Signatures The **kafka** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kafka Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kafka image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kafka image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kafka | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kafka | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kafka Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kafka image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kafka +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kafka ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kafka -- diff --git a/content/chainguard/chainguard-images/reference/karpenter/provenance_info.md b/content/chainguard/chainguard-images/reference/karpenter/provenance_info.md index c4f43d39b0..c030d39cbc 100644 --- a/content/chainguard/chainguard-images/reference/karpenter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/karpenter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying karpenter Image Signatures The **karpenter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading karpenter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the karpenter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the karpenter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/karpenter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/karpenter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying karpenter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the karpenter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/karpenter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/karpenter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/karpenter -- diff --git a/content/chainguard/chainguard-images/reference/keda-adapter/provenance_info.md b/content/chainguard/chainguard-images/reference/keda-adapter/provenance_info.md index 73879b645d..056ecf7852 100644 --- a/content/chainguard/chainguard-images/reference/keda-adapter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/keda-adapter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying keda-adapter Image Signatures The **keda-adapter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading keda-adapter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the keda-adapter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keda-adapter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/keda-adapter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/keda-adapter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying keda-adapter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the keda-adapter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/keda-adapter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/keda-adapter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/keda-adapter -- diff --git a/content/chainguard/chainguard-images/reference/keda-adapter/tags_history.md b/content/chainguard/chainguard-images/reference/keda-adapter/tags_history.md index 65481c972e..050ad128c9 100644 --- a/content/chainguard/chainguard-images/reference/keda-adapter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/keda-adapter/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:21e24f59e6b7659baf9c5f444d02e6f3ffd2a74fd8b184e91cbc2decb5d20afe` | -| `latest` | October 30th | `sha256:deeb5e3c1ac69d4e7ca02b465acb84754a984bdca78e88c8e7c666042d15f1de` | +| `latest` | November 8th | `sha256:15f9c42b482a051173bf4675587cd84057ffc135c5cb4a8426ea8a3fd21c37a6` | +| `latest-dev` | November 8th | `sha256:7e6407e007ce7a2d619075925e13549daac8d4c133f6ab3d5419ab89362a8318` | diff --git a/content/chainguard/chainguard-images/reference/keda-admission-webhooks/provenance_info.md b/content/chainguard/chainguard-images/reference/keda-admission-webhooks/provenance_info.md index cce4539021..fe30afd66d 100644 --- a/content/chainguard/chainguard-images/reference/keda-admission-webhooks/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/keda-admission-webhooks/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying keda-admission-webhooks Image Signatures The **keda-admission-webhooks** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading keda-admission-webhooks Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the keda-admission-webhooks image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keda-admission-webhooks image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/keda-admission-webhooks | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/keda-admission-webhooks | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying keda-admission-webhooks Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the keda-admission-webhooks image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/keda-admission-webhooks +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/keda-admission-webhooks ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/keda-admission-webhooks -- diff --git a/content/chainguard/chainguard-images/reference/keda-admission-webhooks/tags_history.md b/content/chainguard/chainguard-images/reference/keda-admission-webhooks/tags_history.md index 12c6cde255..6c20f6e911 100644 --- a/content/chainguard/chainguard-images/reference/keda-admission-webhooks/tags_history.md +++ b/content/chainguard/chainguard-images/reference/keda-admission-webhooks/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:4e376bee35f6a0d07cbb1dffb46e1250da0b66b1a4a3629260980260095eb1f2` | -| `latest` | October 30th | `sha256:7f74730321826fad557805ff5a5587c98573a024edb2fa55ff61634017ff88c0` | +| `latest-dev` | November 8th | `sha256:5b4d57b458106ec2f54444f8d67444f507958036dcd4e20ebf14ae762978cbad` | +| `latest` | November 8th | `sha256:27ed58200b261a4026b55cab22ff6a752a902827cf7193ce58696b6d36cdd6b1` | diff --git a/content/chainguard/chainguard-images/reference/keda/provenance_info.md b/content/chainguard/chainguard-images/reference/keda/provenance_info.md index 3abda8b5da..ea4d143a14 100644 --- a/content/chainguard/chainguard-images/reference/keda/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/keda/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying keda Image Signatures The **keda** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading keda Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the keda image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keda image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/keda | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/keda | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying keda Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the keda image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/keda +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/keda ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/keda -- diff --git a/content/chainguard/chainguard-images/reference/keda/tags_history.md b/content/chainguard/chainguard-images/reference/keda/tags_history.md index 8d7e66c7c2..cb67b7216e 100644 --- a/content/chainguard/chainguard-images/reference/keda/tags_history.md +++ b/content/chainguard/chainguard-images/reference/keda/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:2939f1f674e3069e13a94f107e5cbfabfc805e75903a1ea9f4b7995def3e253a` | -| `latest` | October 30th | `sha256:fee74fdc66d9065ca1a5df3577decc8f436e14d7a2251091b798adbcab455844` | +| `latest-dev` | November 8th | `sha256:9a90b40248d953af9a28c3fd7d2b785ecf78edfe22ef68e4bda6eb006e32677b` | +| `latest` | November 8th | `sha256:0ce2bbb809a6e2d6c76c41c25e18f9e8e43e00e4ecb2c804c74330a6c5039bec` | diff --git a/content/chainguard/chainguard-images/reference/keycloak/provenance_info.md b/content/chainguard/chainguard-images/reference/keycloak/provenance_info.md index 8b636e26bf..af7375e89c 100644 --- a/content/chainguard/chainguard-images/reference/keycloak/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/keycloak/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying keycloak Image Signatures The **keycloak** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading keycloak Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the keycloak image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keycloak image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/keycloak | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/keycloak | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying keycloak Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the keycloak image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/keycloak +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/keycloak ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/keycloak -- diff --git a/content/chainguard/chainguard-images/reference/ko/provenance_info.md b/content/chainguard/chainguard-images/reference/ko/provenance_info.md index 2d6d1f3f9a..2d8339c00b 100644 --- a/content/chainguard/chainguard-images/reference/ko/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ko/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying ko Image Signatures The **ko** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading ko Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the ko image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ko image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/ko | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/ko | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying ko Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the ko image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/ko +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/ko ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/ko -- diff --git a/content/chainguard/chainguard-images/reference/ko/tags_history.md b/content/chainguard/chainguard-images/reference/ko/tags_history.md index 64e783cc90..a5919a2f68 100644 --- a/content/chainguard/chainguard-images/reference/ko/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ko/tags_history.md @@ -25,5 +25,5 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |-----------|--------------|---------------------------------------------------------------------------| -| `latest` | November 3rd | `sha256:36eba81a1712d201a3109a158ae00a1fa2d4d16229ceae0e8dc83b0fee8a8ada` | +| `latest` | November 8th | `sha256:2957285ff08e695085a8641294fe8527c54ddfb590164443439c7cecd11f8735` | diff --git a/content/chainguard/chainguard-images/reference/kube-bench/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-bench/provenance_info.md index 33dda10f27..d1a7bc201c 100644 --- a/content/chainguard/chainguard-images/reference/kube-bench/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-bench/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kube-bench Image Signatures The **kube-bench** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kube-bench Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kube-bench image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-bench image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kube-bench | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kube-bench | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kube-bench Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kube-bench image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kube-bench +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kube-bench ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kube-bench -- diff --git a/content/chainguard/chainguard-images/reference/kube-downscaler/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-downscaler/provenance_info.md index 7573b37d32..e7ecd1e298 100644 --- a/content/chainguard/chainguard-images/reference/kube-downscaler/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-downscaler/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kube-downscaler Image Signatures The **kube-downscaler** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kube-downscaler Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kube-downscaler image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-downscaler image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kube-downscaler | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kube-downscaler | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kube-downscaler Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kube-downscaler image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kube-downscaler +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kube-downscaler ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kube-downscaler -- diff --git a/content/chainguard/chainguard-images/reference/kube-fluentd-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-fluentd-operator/provenance_info.md index 7e5e081e8b..116536000d 100644 --- a/content/chainguard/chainguard-images/reference/kube-fluentd-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-fluentd-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kube-fluentd-operator Image Signatures The **kube-fluentd-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kube-fluentd-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kube-fluentd-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-fluentd-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kube-fluentd-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kube-fluentd-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kube-fluentd-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kube-fluentd-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kube-fluentd-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kube-fluentd-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kube-fluentd-operator -- diff --git a/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/provenance_info.md index b047452a4b..9c950bf207 100644 --- a/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kube-logging-operator-fluentd Image Signatures The **kube-logging-operator-fluentd** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kube-logging-operator-fluentd Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kube-logging-operator-fluentd image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-logging-operator-fluentd image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kube-logging-operator-fluentd | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kube-logging-operator-fluentd | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kube-logging-operator-fluentd Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kube-logging-operator-fluentd image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kube-logging-operator-fluentd +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kube-logging-operator-fluentd ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kube-logging-operator-fluentd -- diff --git a/content/chainguard/chainguard-images/reference/kube-logging-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-logging-operator/provenance_info.md index 5f2482f545..3e4cf87708 100644 --- a/content/chainguard/chainguard-images/reference/kube-logging-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-logging-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kube-logging-operator Image Signatures The **kube-logging-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kube-logging-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kube-logging-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-logging-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kube-logging-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kube-logging-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kube-logging-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kube-logging-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kube-logging-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kube-logging-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kube-logging-operator -- diff --git a/content/chainguard/chainguard-images/reference/kube-state-metrics/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-state-metrics/provenance_info.md index 884439e47d..20cbd47480 100644 --- a/content/chainguard/chainguard-images/reference/kube-state-metrics/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-state-metrics/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kube-state-metrics Image Signatures The **kube-state-metrics** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kube-state-metrics Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kube-state-metrics image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-state-metrics image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kube-state-metrics | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kube-state-metrics | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kube-state-metrics Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kube-state-metrics image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kube-state-metrics +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kube-state-metrics ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kube-state-metrics -- diff --git a/content/chainguard/chainguard-images/reference/kubectl/provenance_info.md b/content/chainguard/chainguard-images/reference/kubectl/provenance_info.md index a0e2c57c28..97b14a1c3e 100644 --- a/content/chainguard/chainguard-images/reference/kubectl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubectl/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubectl Image Signatures The **kubectl** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubectl Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubectl image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubectl image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubectl | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubectl | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubectl Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubectl image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubectl +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubectl ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubectl -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/provenance_info.md index 155c80b5dc..f6157e9e6f 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-jupyter-web-app Image Signatures The **kubeflow-jupyter-web-app** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-jupyter-web-app Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-jupyter-web-app image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-jupyter-web-app image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-jupyter-web-app | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-jupyter-web-app | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-jupyter-web-app Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-jupyter-web-app image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-jupyter-web-app +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-jupyter-web-app ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-jupyter-web-app -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/tags_history.md index c1740968d2..6ca554e025 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 3rd | `sha256:ca4e5ee60a750d5890180c16b181841a5ecb6f3eb1541bf649f01d760f2272eb` | -| `latest` | November 3rd | `sha256:d995f9a81948dcef28ebd3f2e28e05d15768692f7ca08a737bfea411b2d027e8` | +| `latest-dev` | November 8th | `sha256:0430509517eaa7071c9545ee2fe206881164f10398b96db484cf57fca65bc906` | +| `latest` | November 8th | `sha256:e60600be5785f7d8c4bab6617651fa38e6d302c5c2b4eccc78139aa795510f2d` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/provenance_info.md index c8d8aa1b07..a31d5975ae 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-controller Image Signatures The **kubeflow-katib-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-controller -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/provenance_info.md index 6e27ef20e3..06c7d9d713 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-db-manager Image Signatures The **kubeflow-katib-db-manager** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-db-manager Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-db-manager image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-db-manager image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-db-manager | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-db-manager | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-db-manager Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-db-manager image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-db-manager +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-db-manager ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-db-manager -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/provenance_info.md index 2205a9324c..625e56835a 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-earlystopping-medianstop Image Signatures The **kubeflow-katib-earlystopping-medianstop** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-earlystopping-medianstop Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-earlystopping-medianstop image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-earlystopping-medianstop image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-earlystopping-medianstop | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-earlystopping-medianstop | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-earlystopping-medianstop Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-earlystopping-medianstop image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-earlystopping-medianstop +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-earlystopping-medianstop ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-earlystopping-medianstop -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/provenance_info.md index d0dde50878..819f7922dc 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-file-metrics-collector Image Signatures The **kubeflow-katib-file-metrics-collector** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-file-metrics-collector Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-file-metrics-collector image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-file-metrics-collector image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-file-metrics-collector | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-file-metrics-collector | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-file-metrics-collector Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-file-metrics-collector image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-file-metrics-collector +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-file-metrics-collector ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-file-metrics-collector -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/provenance_info.md index 9a883b8113..9968ad8878 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-suggestion-darts Image Signatures The **kubeflow-katib-suggestion-darts** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-suggestion-darts Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-suggestion-darts image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-darts image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-suggestion-darts | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-suggestion-darts | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-suggestion-darts Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-suggestion-darts image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-suggestion-darts +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-suggestion-darts ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-suggestion-darts -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/provenance_info.md index fcf072a211..83672e298f 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-suggestion-goptuna Image Signatures The **kubeflow-katib-suggestion-goptuna** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-suggestion-goptuna Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-suggestion-goptuna image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-goptuna image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-suggestion-goptuna | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-suggestion-goptuna | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-suggestion-goptuna Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-suggestion-goptuna image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-suggestion-goptuna +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-suggestion-goptuna ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-suggestion-goptuna -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/provenance_info.md index fae7e6c4f6..cba58d08f1 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-suggestion-hyperband Image Signatures The **kubeflow-katib-suggestion-hyperband** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-suggestion-hyperband Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-suggestion-hyperband image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-hyperband image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-suggestion-hyperband | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-suggestion-hyperband | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-suggestion-hyperband Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-suggestion-hyperband image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-suggestion-hyperband +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-suggestion-hyperband ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-suggestion-hyperband -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/provenance_info.md index b361b80031..25168f49a2 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-suggestion-hyperopt Image Signatures The **kubeflow-katib-suggestion-hyperopt** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-suggestion-hyperopt Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-suggestion-hyperopt image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-hyperopt image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-suggestion-hyperopt | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-suggestion-hyperopt | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-suggestion-hyperopt Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-suggestion-hyperopt image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-suggestion-hyperopt +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-suggestion-hyperopt ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-suggestion-hyperopt -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/provenance_info.md index c82132bf97..9374e0d80c 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-suggestion-optuna Image Signatures The **kubeflow-katib-suggestion-optuna** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-suggestion-optuna Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-suggestion-optuna image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-optuna image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-suggestion-optuna | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-suggestion-optuna | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-suggestion-optuna Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-suggestion-optuna image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-suggestion-optuna +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-suggestion-optuna ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-suggestion-optuna -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/provenance_info.md index 5522d52ae4..19201cd597 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-suggestion-pbt Image Signatures The **kubeflow-katib-suggestion-pbt** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-suggestion-pbt Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-suggestion-pbt image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-pbt image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-suggestion-pbt | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-suggestion-pbt | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-suggestion-pbt Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-suggestion-pbt image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-suggestion-pbt +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-suggestion-pbt ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-suggestion-pbt -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/provenance_info.md index 256b3a00af..0b0daf5e87 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-katib-suggestion-skopt Image Signatures The **kubeflow-katib-suggestion-skopt** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-katib-suggestion-skopt Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-katib-suggestion-skopt image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-skopt image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-katib-suggestion-skopt | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-katib-suggestion-skopt | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-katib-suggestion-skopt Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-katib-suggestion-skopt image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-katib-suggestion-skopt +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-katib-suggestion-skopt ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-katib-suggestion-skopt -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/image_specs.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/image_specs.md index ecd159d6f0..9c7e6caeca 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/image_specs.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/image_specs.md @@ -49,6 +49,7 @@ The table shows package distribution across variants. | `bash` | X | | | `busybox` | X | | | `ca-certificates-bundle` | X | X | +| `gdbm` | X | X | | `git` | X | | | `glibc` | X | X | | `glibc-locale-posix` | X | X | @@ -56,18 +57,26 @@ The table shows package distribution across variants. | `ld-linux` | X | X | | `libbrotlicommon1` | X | | | `libbrotlidec1` | X | | -| `libcrypt1` | X | | +| `libbz2-1` | X | X | +| `libcrypt1` | X | X | | `libcrypto3` | X | X | | `libcurl-openssl4` | X | | -| `libexpat1` | X | | +| `libexpat1` | X | X | +| `libffi` | X | X | | `libgcc` | X | X | | `libnghttp2-14` | X | | | `libpcre2-8-0` | X | | | `libssl3` | X | X | -| `ncurses` | X | | -| `ncurses-terminfo-base` | X | | +| `libstdc++` | X | X | +| `mpdecimal` | X | X | +| `ncurses` | X | X | +| `ncurses-terminfo-base` | X | X | | `openssl-config` | X | X | +| `python-3.12` | X | X | +| `readline` | X | X | +| `sqlite-libs` | X | X | | `wget` | X | X | | `wolfi-baselayout` | X | X | -| `zlib` | X | | +| `xz` | X | X | +| `zlib` | X | X | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/provenance_info.md index f8a0ffc281..ff0dab690f 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-pipelines-api-server Image Signatures The **kubeflow-pipelines-api-server** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-pipelines-api-server Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-pipelines-api-server image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-api-server image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-pipelines-api-server | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-pipelines-api-server | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-pipelines-api-server Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-pipelines-api-server image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-pipelines-api-server +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-pipelines-api-server ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-pipelines-api-server -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/tags_history.md index 79f8873bf0..d7e2524d2d 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 3rd | `sha256:8ecff176c4c54dc461b29db7fe72b18b1c1fb42115a17c3b96c8b1fbd88bd4cc` | -| `latest` | October 30th | `sha256:b6ad24a6aa3a1b914cbd1a79d6b9c5ad5ec43dcec868396e72782d974c820a97` | +| `latest` | November 8th | `sha256:7ca7152d5d7bb8f57edba9e690e52c0a166be0e9ee66e375a9b656afaafd5ffe` | +| `latest-dev` | November 8th | `sha256:5d8b1563830c25ce44d2b83bd4c50ce8244feaab225cabfe6cd5f5bc57d7d8ae` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/provenance_info.md index 5199f5a649..43a1bf37dd 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-pipelines-cache-deployer Image Signatures The **kubeflow-pipelines-cache-deployer** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-pipelines-cache-deployer Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-pipelines-cache-deployer image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-cache-deployer image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-pipelines-cache-deployer | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-pipelines-cache-deployer | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-pipelines-cache-deployer Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-pipelines-cache-deployer image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-pipelines-cache-deployer +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-pipelines-cache-deployer ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-pipelines-cache-deployer -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/tags_history.md index 9f2ea0b726..86e1ed8455 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 3rd | `sha256:1a59d491ef5242905aec41dec21a6fedc0988909e5021cb3bde08fc05bf82238` | -| `latest` | October 30th | `sha256:59fa5883ef9f637014ba02f94b18b30dc4d5245b22bde1caaf43baeb2a13b41b` | +| `latest` | November 8th | `sha256:de26628cece4cdcea2be6228c94a63dbef027f3fb61ee3c2eab63ae93fba93d2` | +| `latest-dev` | November 8th | `sha256:e368ffe3523051d59c95dc88ea90984376f1005da550af3455c30a470a331969` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/provenance_info.md index 176d5ca0ff..10f69d944c 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-pipelines-cache-server Image Signatures The **kubeflow-pipelines-cache-server** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-pipelines-cache-server Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-pipelines-cache-server image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-cache-server image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-pipelines-cache-server | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-pipelines-cache-server | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-pipelines-cache-server Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-pipelines-cache-server image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-pipelines-cache-server +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-pipelines-cache-server ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-pipelines-cache-server -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/tags_history.md index f2912a4613..a1a033b3d3 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 3rd | `sha256:f75c0abdf10ca1cfc5fbc6b646a6e18c9597c03108dc244b0ac2145aaaacc3d6` | -| `latest` | October 30th | `sha256:b72966d1beea5485ad50671a6b431033632e5285150a497bb2a179d29c4da614` | +| `latest` | November 8th | `sha256:d8caa17c2458748bd0e0c8e4f6b36cbea1dc9e40fd2be691b23c02594b7e2d74` | +| `latest-dev` | November 8th | `sha256:36cf77fdaa5357b90991342f42996063239d29a82939a8866f75ae7ea07410e8` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/provenance_info.md index 312402590c..27fb2ad794 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-pipelines-metadata-writer Image Signatures The **kubeflow-pipelines-metadata-writer** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-pipelines-metadata-writer Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-pipelines-metadata-writer image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-metadata-writer image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-pipelines-metadata-writer | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-pipelines-metadata-writer | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-pipelines-metadata-writer Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-pipelines-metadata-writer image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-pipelines-metadata-writer +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-pipelines-metadata-writer ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-pipelines-metadata-writer -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/tags_history.md index 6f2a033d96..b6bcb129be 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 3rd | `sha256:582104ab135407b2eddfbaa0b31778a1469d4c07a4ca5c30109b158e59f50964` | -| `latest` | November 3rd | `sha256:18d6c72e1f6b51dd02a882f9ec3a34ca80963af69726b39fef7e341a53613c27` | +| `latest` | November 8th | `sha256:5f31ceaca41686ebb24a5cd3008ee90acf41aeaff05a0a872b85a78664f825d5` | +| `latest-dev` | November 8th | `sha256:3e4283905c1cc446dd3d0b3f9c6a6363f221dbcaa69cee0772046ae218b57e14` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/provenance_info.md index b6bc2e9c0b..e663dd3299 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-pipelines-persistenceagent Image Signatures The **kubeflow-pipelines-persistenceagent** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-pipelines-persistenceagent Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-pipelines-persistenceagent image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-persistenceagent image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-pipelines-persistenceagent | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-pipelines-persistenceagent | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-pipelines-persistenceagent Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-pipelines-persistenceagent image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-pipelines-persistenceagent +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-pipelines-persistenceagent ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-pipelines-persistenceagent -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/tags_history.md index d40ebc082d..d8dc33147a 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 3rd | `sha256:abf70ad3eaba357d48ff9b844e05bc4785470f5446131f9257cf56ab7c417a01` | -| `latest` | October 30th | `sha256:b9ce84b76b95a22da95c3b73eccc54768f91d66c8dd30a4b78489b23b6fa3f5a` | +| `latest-dev` | November 8th | `sha256:2b0bbeddded13b8677780c837f3720d3a483acf08e8c656f37e8de015ff3a1bd` | +| `latest` | November 8th | `sha256:03c14acc8b69b432ce174aa68921f0385a0b529aea7dafc4d1844bdda90840da` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/provenance_info.md index 252f66a627..c8a5ed50b8 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-pipelines-scheduledworkflow Image Signatures The **kubeflow-pipelines-scheduledworkflow** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-pipelines-scheduledworkflow Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-pipelines-scheduledworkflow image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-scheduledworkflow image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-pipelines-scheduledworkflow | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-pipelines-scheduledworkflow | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-pipelines-scheduledworkflow Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-pipelines-scheduledworkflow image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-pipelines-scheduledworkflow +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-pipelines-scheduledworkflow ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-pipelines-scheduledworkflow -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/tags_history.md index 199fe194c5..f917263a4d 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 3rd | `sha256:8d72e4e6e7f63f66a816c189dba95479397a05503733a0c2dc422622288b0107` | -| `latest` | October 30th | `sha256:1db04d5e6ea096d9c5992f7145a9024acb2fffe00a8e560c14d2f3f37efad1e3` | +| `latest-dev` | November 8th | `sha256:4fe997b9220f6fcca740c4ea6c5d4ceaf9a7946dfcf990337d7056c3d9bd11de` | +| `latest` | November 8th | `sha256:8beba085f3ea5fbe15d1411a57043113a6bb8ccc5671b272517996befd839a17` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/provenance_info.md index 88fb426252..9bd3cb7c70 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-pipelines-viewer-crd-controller Image Signatures The **kubeflow-pipelines-viewer-crd-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-pipelines-viewer-crd-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-pipelines-viewer-crd-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-viewer-crd-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-pipelines-viewer-crd-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-pipelines-viewer-crd-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-pipelines-viewer-crd-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-pipelines-viewer-crd-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-pipelines-viewer-crd-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-pipelines-viewer-crd-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-pipelines-viewer-crd-controller -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/tags_history.md index f3c1d92136..057e84dc3b 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 3rd | `sha256:b3a4666ceffd83d48b88942a0df94362254cd5b2a2e46d9d8c5a2f347960866d` | +| `latest-dev` | November 8th | `sha256:82344b998c45c867aa04556f4eca9dba4f6b56564c18125398104dd3434f86a0` | | `latest` | October 30th | `sha256:6ef847c7f83ca9ac4d292aa4dc77dc8751e59797809863fb4f3fd4d1014b087b` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/provenance_info.md index 6e38703f8f..c6de411c15 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubeflow-volumes-web-app Image Signatures The **kubeflow-volumes-web-app** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubeflow-volumes-web-app Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubeflow-volumes-web-app image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-volumes-web-app image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubeflow-volumes-web-app | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubeflow-volumes-web-app | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubeflow-volumes-web-app Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubeflow-volumes-web-app image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubeflow-volumes-web-app +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubeflow-volumes-web-app ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubeflow-volumes-web-app -- diff --git a/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/tags_history.md index ed7167e792..4275e3c8b4 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest` | November 3rd | `sha256:72190ac2c58b8ed0dcf5cae515f76ab85af0cb5fbdcc1abc0c455e5f0b8a00bb` | -| `latest-dev` | November 3rd | `sha256:bcd837badf6cdcf989492d747badd9025ec9c09afdd688355608d2ece829b994` | +| `latest` | November 8th | `sha256:a800e456d77fff7fdbc4b78d0592644481aa4f60475af6785a1f6672e8852e1a` | +| `latest-dev` | November 8th | `sha256:99aa2b5d4473696d03dace4d9f5223bfd960fbafb8c47d9f8a46cd4aec9e1d71` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/provenance_info.md index 657a75968c..1504b2d6eb 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-csi-external-attacher Image Signatures The **kubernetes-csi-external-attacher** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-csi-external-attacher Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-csi-external-attacher image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-attacher image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-csi-external-attacher | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-csi-external-attacher | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-csi-external-attacher Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-csi-external-attacher image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-csi-external-attacher +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-csi-external-attacher ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-csi-external-attacher -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/provenance_info.md index ca15a110f8..fb13484757 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-csi-external-provisioner Image Signatures The **kubernetes-csi-external-provisioner** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-csi-external-provisioner Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-csi-external-provisioner image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-provisioner image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-csi-external-provisioner | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-csi-external-provisioner | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-csi-external-provisioner Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-csi-external-provisioner image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-csi-external-provisioner +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-csi-external-provisioner ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-csi-external-provisioner -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/provenance_info.md index 2fb3bfbfbc..469d8e5677 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-csi-external-resizer Image Signatures The **kubernetes-csi-external-resizer** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-csi-external-resizer Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-csi-external-resizer image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-resizer image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-csi-external-resizer | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-csi-external-resizer | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-csi-external-resizer Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-csi-external-resizer image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-csi-external-resizer +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-csi-external-resizer ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-csi-external-resizer -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/provenance_info.md index 5f4f2965f6..ad4766b486 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-csi-external-snapshot-controller Image Signatures The **kubernetes-csi-external-snapshot-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-csi-external-snapshot-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-csi-external-snapshot-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-snapshot-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-csi-external-snapshot-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-csi-external-snapshot-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-csi-external-snapshot-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-csi-external-snapshot-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-csi-external-snapshot-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-csi-external-snapshot-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-csi-external-snapshot-controller -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md index c167800ed1..7f8c9e5e22 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-csi-external-snapshot-validation-webhook Image Signatures The **kubernetes-csi-external-snapshot-validation-webhook** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-csi-external-snapshot-validation-webhook Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-csi-external-snapshot-validation-webhook image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-snapshot-validation-webhook image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-csi-external-snapshot-validation-webhook | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-csi-external-snapshot-validation-webhook | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-csi-external-snapshot-validation-webhook Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-csi-external-snapshot-validation-webhook image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-csi-external-snapshot-validation-webhook +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-csi-external-snapshot-validation-webhook ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-csi-external-snapshot-validation-webhook -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/provenance_info.md index bdde4620c3..854bad36ff 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-csi-external-snapshotter Image Signatures The **kubernetes-csi-external-snapshotter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-csi-external-snapshotter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-csi-external-snapshotter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-snapshotter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-csi-external-snapshotter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-csi-external-snapshotter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-csi-external-snapshotter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-csi-external-snapshotter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-csi-external-snapshotter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-csi-external-snapshotter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-csi-external-snapshotter -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/provenance_info.md index 8a6e77d833..ac9874b4a0 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-csi-livenessprobe Image Signatures The **kubernetes-csi-livenessprobe** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-csi-livenessprobe Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-csi-livenessprobe image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-livenessprobe image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-csi-livenessprobe | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-csi-livenessprobe | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-csi-livenessprobe Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-csi-livenessprobe image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-csi-livenessprobe +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-csi-livenessprobe ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-csi-livenessprobe -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/provenance_info.md index 320248e8f7..09e6dde6a9 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-csi-node-driver-registrar Image Signatures The **kubernetes-csi-node-driver-registrar** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-csi-node-driver-registrar Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-csi-node-driver-registrar image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-node-driver-registrar image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-csi-node-driver-registrar | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-csi-node-driver-registrar | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-csi-node-driver-registrar Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-csi-node-driver-registrar image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-csi-node-driver-registrar +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-csi-node-driver-registrar ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-csi-node-driver-registrar -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-dashboard-metrics-scraper/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-dashboard-metrics-scraper/provenance_info.md index 8643e821f6..a11158bafe 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-dashboard-metrics-scraper/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-dashboard-metrics-scraper/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-dashboard-metrics-scraper Image Signatures The **kubernetes-dashboard-metrics-scraper** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-dashboard-metrics-scraper Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-dashboard-metrics-scraper image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-dashboard-metrics-scraper image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-dashboard-metrics-scraper | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-dashboard-metrics-scraper | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-dashboard-metrics-scraper Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-dashboard-metrics-scraper image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-dashboard-metrics-scraper +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-dashboard-metrics-scraper ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-dashboard-metrics-scraper -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-dashboard/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-dashboard/provenance_info.md index 132d4ed572..f6626e3c1e 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-dashboard/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-dashboard/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-dashboard Image Signatures The **kubernetes-dashboard** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-dashboard Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-dashboard image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-dashboard image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-dashboard | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-dashboard | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-dashboard Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-dashboard image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-dashboard +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-dashboard ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-dashboard -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/provenance_info.md index b691cc167b..a59ee8fbc1 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-dns-node-cache Image Signatures The **kubernetes-dns-node-cache** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-dns-node-cache Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-dns-node-cache image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-dns-node-cache image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-dns-node-cache | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-dns-node-cache | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-dns-node-cache Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-dns-node-cache image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-dns-node-cache +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-dns-node-cache ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-dns-node-cache -- diff --git a/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/provenance_info.md index 81cc9ce4b2..4eb902725d 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubernetes-ingress-defaultbackend Image Signatures The **kubernetes-ingress-defaultbackend** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubernetes-ingress-defaultbackend Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubernetes-ingress-defaultbackend image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-ingress-defaultbackend image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubernetes-ingress-defaultbackend | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubernetes-ingress-defaultbackend | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubernetes-ingress-defaultbackend Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubernetes-ingress-defaultbackend image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubernetes-ingress-defaultbackend +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubernetes-ingress-defaultbackend ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubernetes-ingress-defaultbackend -- diff --git a/content/chainguard/chainguard-images/reference/kubewatch/provenance_info.md b/content/chainguard/chainguard-images/reference/kubewatch/provenance_info.md index 071eaedf72..c0900f12ac 100644 --- a/content/chainguard/chainguard-images/reference/kubewatch/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubewatch/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kubewatch Image Signatures The **kubewatch** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kubewatch Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kubewatch image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubewatch image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kubewatch | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kubewatch | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kubewatch Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kubewatch image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kubewatch +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kubewatch ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kubewatch -- diff --git a/content/chainguard/chainguard-images/reference/kyverno-background-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-background-controller/provenance_info.md index 9febc2b513..0db391667f 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-background-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-background-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kyverno-background-controller Image Signatures The **kyverno-background-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kyverno-background-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kyverno-background-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-background-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kyverno-background-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kyverno-background-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kyverno-background-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kyverno-background-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kyverno-background-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kyverno-background-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kyverno-background-controller -- diff --git a/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/provenance_info.md index 11d495fbde..ec4a4ba957 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kyverno-cleanup-controller Image Signatures The **kyverno-cleanup-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kyverno-cleanup-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kyverno-cleanup-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-cleanup-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kyverno-cleanup-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kyverno-cleanup-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kyverno-cleanup-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kyverno-cleanup-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kyverno-cleanup-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kyverno-cleanup-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kyverno-cleanup-controller -- diff --git a/content/chainguard/chainguard-images/reference/kyverno-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-cli/provenance_info.md index 23cdccea61..c8699f93c9 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-cli/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kyverno-cli Image Signatures The **kyverno-cli** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kyverno-cli Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kyverno-cli image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-cli image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kyverno-cli | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kyverno-cli | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kyverno-cli Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kyverno-cli image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kyverno-cli +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kyverno-cli ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kyverno-cli -- diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/provenance_info.md index ac0298a6b2..42df06c2c0 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kyverno-policy-reporter-plugin Image Signatures The **kyverno-policy-reporter-plugin** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kyverno-policy-reporter-plugin Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kyverno-policy-reporter-plugin image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter-plugin image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kyverno-policy-reporter-plugin | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kyverno-policy-reporter-plugin | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kyverno-policy-reporter-plugin Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kyverno-policy-reporter-plugin image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kyverno-policy-reporter-plugin +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kyverno-policy-reporter-plugin ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kyverno-policy-reporter-plugin -- diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/provenance_info.md index 54a1d7ad60..c32e54b9f2 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kyverno-policy-reporter-reporter Image Signatures The **kyverno-policy-reporter-reporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kyverno-policy-reporter-reporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kyverno-policy-reporter-reporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter-reporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kyverno-policy-reporter-reporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kyverno-policy-reporter-reporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kyverno-policy-reporter-reporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kyverno-policy-reporter-reporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kyverno-policy-reporter-reporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kyverno-policy-reporter-reporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kyverno-policy-reporter-reporter -- diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/provenance_info.md index a4f714c1ad..16e64e6f10 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kyverno-policy-reporter-ui Image Signatures The **kyverno-policy-reporter-ui** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kyverno-policy-reporter-ui Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kyverno-policy-reporter-ui image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter-ui image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kyverno-policy-reporter-ui | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kyverno-policy-reporter-ui | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kyverno-policy-reporter-ui Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kyverno-policy-reporter-ui image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kyverno-policy-reporter-ui +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kyverno-policy-reporter-ui ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kyverno-policy-reporter-ui -- diff --git a/content/chainguard/chainguard-images/reference/kyverno-reports-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-reports-controller/provenance_info.md index ffe5058319..c8464fd75a 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-reports-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-reports-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kyverno-reports-controller Image Signatures The **kyverno-reports-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kyverno-reports-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kyverno-reports-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-reports-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kyverno-reports-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kyverno-reports-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kyverno-reports-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kyverno-reports-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kyverno-reports-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kyverno-reports-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kyverno-reports-controller -- diff --git a/content/chainguard/chainguard-images/reference/kyverno/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno/provenance_info.md index a2d7a8b2bf..ae604e63c3 100644 --- a/content/chainguard/chainguard-images/reference/kyverno/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kyverno Image Signatures The **kyverno** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kyverno Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kyverno image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kyverno | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kyverno | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kyverno Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kyverno image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kyverno +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kyverno ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kyverno -- diff --git a/content/chainguard/chainguard-images/reference/kyvernopre/provenance_info.md b/content/chainguard/chainguard-images/reference/kyvernopre/provenance_info.md index aed45951a3..084cb86453 100644 --- a/content/chainguard/chainguard-images/reference/kyvernopre/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyvernopre/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying kyvernopre Image Signatures The **kyvernopre** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading kyvernopre Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the kyvernopre image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyvernopre image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/kyvernopre | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/kyvernopre | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying kyvernopre Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the kyvernopre image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/kyvernopre +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/kyvernopre ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/kyvernopre -- diff --git a/content/chainguard/chainguard-images/reference/loki/provenance_info.md b/content/chainguard/chainguard-images/reference/loki/provenance_info.md index 8fe5b26760..e3e92cd69e 100644 --- a/content/chainguard/chainguard-images/reference/loki/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/loki/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying loki Image Signatures The **loki** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading loki Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the loki image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the loki image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/loki | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/loki | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying loki Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the loki image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/loki +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/loki ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/loki -- diff --git a/content/chainguard/chainguard-images/reference/mariadb/provenance_info.md b/content/chainguard/chainguard-images/reference/mariadb/provenance_info.md index dcb1c3f7b7..63b936a613 100644 --- a/content/chainguard/chainguard-images/reference/mariadb/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/mariadb/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying mariadb Image Signatures The **mariadb** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading mariadb Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the mariadb image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the mariadb image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/mariadb | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/mariadb | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying mariadb Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the mariadb image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/mariadb +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/mariadb ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/mariadb -- diff --git a/content/chainguard/chainguard-images/reference/maven/provenance_info.md b/content/chainguard/chainguard-images/reference/maven/provenance_info.md index b0fed3ba32..fc65bff872 100644 --- a/content/chainguard/chainguard-images/reference/maven/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/maven/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying maven Image Signatures The **maven** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading maven Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the maven image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the maven image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/maven | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/maven | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying maven Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the maven image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/maven +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/maven ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/maven -- diff --git a/content/chainguard/chainguard-images/reference/mdbook/provenance_info.md b/content/chainguard/chainguard-images/reference/mdbook/provenance_info.md index 7da62f37dd..e1f0efde87 100644 --- a/content/chainguard/chainguard-images/reference/mdbook/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/mdbook/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying mdbook Image Signatures The **mdbook** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading mdbook Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the mdbook image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the mdbook image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/mdbook | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/mdbook | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying mdbook Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the mdbook image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/mdbook +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/mdbook ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/mdbook -- diff --git a/content/chainguard/chainguard-images/reference/meilisearch/provenance_info.md b/content/chainguard/chainguard-images/reference/meilisearch/provenance_info.md index 28e3df5889..73215c189c 100644 --- a/content/chainguard/chainguard-images/reference/meilisearch/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/meilisearch/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying meilisearch Image Signatures The **meilisearch** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading meilisearch Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the meilisearch image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the meilisearch image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/meilisearch | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/meilisearch | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying meilisearch Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the meilisearch image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/meilisearch +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/meilisearch ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/meilisearch -- diff --git a/content/chainguard/chainguard-images/reference/melange/provenance_info.md b/content/chainguard/chainguard-images/reference/melange/provenance_info.md index 757a4a6382..2546ff0a87 100644 --- a/content/chainguard/chainguard-images/reference/melange/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/melange/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying melange Image Signatures The **melange** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading melange Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the melange image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the melange image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/melange | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/melange | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying melange Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the melange image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/melange +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/melange ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/melange -- diff --git a/content/chainguard/chainguard-images/reference/memcached-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/memcached-exporter/provenance_info.md index 692b7a349d..12df3dcb28 100644 --- a/content/chainguard/chainguard-images/reference/memcached-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/memcached-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying memcached-exporter Image Signatures The **memcached-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading memcached-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the memcached-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the memcached-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/memcached-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/memcached-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying memcached-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the memcached-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/memcached-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/memcached-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/memcached-exporter -- diff --git a/content/chainguard/chainguard-images/reference/memcached/provenance_info.md b/content/chainguard/chainguard-images/reference/memcached/provenance_info.md index 0b9ec9e4b3..a54f52c898 100644 --- a/content/chainguard/chainguard-images/reference/memcached/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/memcached/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying memcached Image Signatures The **memcached** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading memcached Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the memcached image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the memcached image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/memcached | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/memcached | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying memcached Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the memcached image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/memcached +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/memcached ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/memcached -- diff --git a/content/chainguard/chainguard-images/reference/metacontroller/provenance_info.md b/content/chainguard/chainguard-images/reference/metacontroller/provenance_info.md index 179fa9d512..24d956ad53 100644 --- a/content/chainguard/chainguard-images/reference/metacontroller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/metacontroller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying metacontroller Image Signatures The **metacontroller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading metacontroller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the metacontroller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the metacontroller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/metacontroller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/metacontroller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying metacontroller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the metacontroller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/metacontroller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/metacontroller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/metacontroller -- diff --git a/content/chainguard/chainguard-images/reference/metrics-server/provenance_info.md b/content/chainguard/chainguard-images/reference/metrics-server/provenance_info.md index 8c011e3751..0052aa499e 100644 --- a/content/chainguard/chainguard-images/reference/metrics-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/metrics-server/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying metrics-server Image Signatures The **metrics-server** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading metrics-server Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the metrics-server image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the metrics-server image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/metrics-server | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/metrics-server | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying metrics-server Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the metrics-server image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/metrics-server +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/metrics-server ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/metrics-server -- diff --git a/content/chainguard/chainguard-images/reference/minio-client/provenance_info.md b/content/chainguard/chainguard-images/reference/minio-client/provenance_info.md index 5f318d52c8..cd9a30d1d1 100644 --- a/content/chainguard/chainguard-images/reference/minio-client/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/minio-client/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying minio-client Image Signatures The **minio-client** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading minio-client Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the minio-client image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the minio-client image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/minio-client | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/minio-client | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying minio-client Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the minio-client image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/minio-client +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/minio-client ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/minio-client -- diff --git a/content/chainguard/chainguard-images/reference/minio/provenance_info.md b/content/chainguard/chainguard-images/reference/minio/provenance_info.md index e8253c3784..ee3076b1b3 100644 --- a/content/chainguard/chainguard-images/reference/minio/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/minio/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying minio Image Signatures The **minio** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading minio Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the minio image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the minio image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/minio | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/minio | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying minio Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the minio image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/minio +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/minio ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/minio -- diff --git a/content/chainguard/chainguard-images/reference/nats/provenance_info.md b/content/chainguard/chainguard-images/reference/nats/provenance_info.md index 177d04a6ad..3e64edeae1 100644 --- a/content/chainguard/chainguard-images/reference/nats/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nats/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying nats Image Signatures The **nats** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading nats Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the nats image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nats image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/nats | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/nats | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying nats Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the nats image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/nats +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/nats ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/nats -- diff --git a/content/chainguard/chainguard-images/reference/netcat/provenance_info.md b/content/chainguard/chainguard-images/reference/netcat/provenance_info.md index 93b4631da7..ddaba629f8 100644 --- a/content/chainguard/chainguard-images/reference/netcat/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/netcat/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying netcat Image Signatures The **netcat** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading netcat Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the netcat image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the netcat image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/netcat | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/netcat | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying netcat Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the netcat image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/netcat +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/netcat ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/netcat -- diff --git a/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/provenance_info.md index 063f23ce27..e5337b76e7 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying newrelic-fluent-bit-output Image Signatures The **newrelic-fluent-bit-output** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading newrelic-fluent-bit-output Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the newrelic-fluent-bit-output image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-fluent-bit-output image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/newrelic-fluent-bit-output | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/newrelic-fluent-bit-output | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying newrelic-fluent-bit-output Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the newrelic-fluent-bit-output image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/newrelic-fluent-bit-output +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/newrelic-fluent-bit-output ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/newrelic-fluent-bit-output -- diff --git a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/provenance_info.md index a88ed84af4..da9c83836b 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying newrelic-infrastructure-bundle Image Signatures The **newrelic-infrastructure-bundle** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading newrelic-infrastructure-bundle Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the newrelic-infrastructure-bundle image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-infrastructure-bundle image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/newrelic-infrastructure-bundle | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/newrelic-infrastructure-bundle | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying newrelic-infrastructure-bundle Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the newrelic-infrastructure-bundle image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/newrelic-infrastructure-bundle +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/newrelic-infrastructure-bundle ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/newrelic-infrastructure-bundle -- diff --git a/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/provenance_info.md index 3cb9549d7b..28cf587175 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying newrelic-k8s-events-forwarder Image Signatures The **newrelic-k8s-events-forwarder** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading newrelic-k8s-events-forwarder Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the newrelic-k8s-events-forwarder image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-k8s-events-forwarder image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/newrelic-k8s-events-forwarder | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/newrelic-k8s-events-forwarder | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying newrelic-k8s-events-forwarder Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the newrelic-k8s-events-forwarder image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/newrelic-k8s-events-forwarder +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/newrelic-k8s-events-forwarder ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/newrelic-k8s-events-forwarder -- diff --git a/content/chainguard/chainguard-images/reference/newrelic-kube-events/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-kube-events/provenance_info.md index 7945eda907..bcfa6f0a1d 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-kube-events/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-kube-events/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying newrelic-kube-events Image Signatures The **newrelic-kube-events** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading newrelic-kube-events Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the newrelic-kube-events image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-kube-events image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/newrelic-kube-events | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/newrelic-kube-events | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying newrelic-kube-events Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the newrelic-kube-events image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/newrelic-kube-events +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/newrelic-kube-events ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/newrelic-kube-events -- diff --git a/content/chainguard/chainguard-images/reference/newrelic-kubernetes/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-kubernetes/provenance_info.md index 9d95261fc7..7a139acda5 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-kubernetes/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-kubernetes/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying newrelic-kubernetes Image Signatures The **newrelic-kubernetes** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading newrelic-kubernetes Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the newrelic-kubernetes image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-kubernetes image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/newrelic-kubernetes | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/newrelic-kubernetes | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying newrelic-kubernetes Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the newrelic-kubernetes image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/newrelic-kubernetes +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/newrelic-kubernetes ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/newrelic-kubernetes -- diff --git a/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/provenance_info.md index 3d9d784e3b..655773232e 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying newrelic-prometheus-configurator Image Signatures The **newrelic-prometheus-configurator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading newrelic-prometheus-configurator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the newrelic-prometheus-configurator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-prometheus-configurator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/newrelic-prometheus-configurator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/newrelic-prometheus-configurator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying newrelic-prometheus-configurator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the newrelic-prometheus-configurator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/newrelic-prometheus-configurator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/newrelic-prometheus-configurator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/newrelic-prometheus-configurator -- diff --git a/content/chainguard/chainguard-images/reference/newrelic-prometheus/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-prometheus/provenance_info.md index 90578b5340..eefd1559b9 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-prometheus/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-prometheus/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying newrelic-prometheus Image Signatures The **newrelic-prometheus** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading newrelic-prometheus Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the newrelic-prometheus image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-prometheus image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/newrelic-prometheus | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/newrelic-prometheus | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying newrelic-prometheus Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the newrelic-prometheus image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/newrelic-prometheus +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/newrelic-prometheus ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/newrelic-prometheus -- diff --git a/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/provenance_info.md b/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/provenance_info.md index c77fe8d0d7..9b18e32d11 100644 --- a/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying nfs-subdir-external-provisioner Image Signatures The **nfs-subdir-external-provisioner** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading nfs-subdir-external-provisioner Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the nfs-subdir-external-provisioner image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nfs-subdir-external-provisioner image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/nfs-subdir-external-provisioner | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/nfs-subdir-external-provisioner | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying nfs-subdir-external-provisioner Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the nfs-subdir-external-provisioner image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/nfs-subdir-external-provisioner +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/nfs-subdir-external-provisioner ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/nfs-subdir-external-provisioner -- diff --git a/content/chainguard/chainguard-images/reference/nginx/provenance_info.md b/content/chainguard/chainguard-images/reference/nginx/provenance_info.md index 7a2cf5e7f2..d7c5c30a93 100644 --- a/content/chainguard/chainguard-images/reference/nginx/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nginx/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying nginx Image Signatures The **nginx** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading nginx Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the nginx image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nginx image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/nginx | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/nginx | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying nginx Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the nginx image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/nginx +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/nginx ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/nginx -- diff --git a/content/chainguard/chainguard-images/reference/node-lts/provenance_info.md b/content/chainguard/chainguard-images/reference/node-lts/provenance_info.md index 3b52e09b9e..50690655a8 100644 --- a/content/chainguard/chainguard-images/reference/node-lts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/node-lts/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying node-lts Image Signatures The **node-lts** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading node-lts Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the node-lts image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the node-lts image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/node-lts | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/node-lts | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying node-lts Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the node-lts image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/node-lts +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/node-lts ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/node-lts -- diff --git a/content/chainguard/chainguard-images/reference/node-problem-detector/provenance_info.md b/content/chainguard/chainguard-images/reference/node-problem-detector/provenance_info.md index 38e02d3b9b..35f653ba5a 100644 --- a/content/chainguard/chainguard-images/reference/node-problem-detector/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/node-problem-detector/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying node-problem-detector Image Signatures The **node-problem-detector** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading node-problem-detector Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the node-problem-detector image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the node-problem-detector image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/node-problem-detector | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/node-problem-detector | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying node-problem-detector Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the node-problem-detector image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/node-problem-detector +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/node-problem-detector ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/node-problem-detector -- diff --git a/content/chainguard/chainguard-images/reference/node/provenance_info.md b/content/chainguard/chainguard-images/reference/node/provenance_info.md index 83b04b44d2..a2cae3d424 100644 --- a/content/chainguard/chainguard-images/reference/node/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/node/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying node Image Signatures The **node** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading node Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the node image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the node image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/node | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/node | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying node Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the node image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/node +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/node ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/node -- diff --git a/content/chainguard/chainguard-images/reference/nodetaint/provenance_info.md b/content/chainguard/chainguard-images/reference/nodetaint/provenance_info.md index 6d3311b056..eb1b09276d 100644 --- a/content/chainguard/chainguard-images/reference/nodetaint/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nodetaint/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying nodetaint Image Signatures The **nodetaint** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading nodetaint Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the nodetaint image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nodetaint image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/nodetaint | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/nodetaint | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying nodetaint Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the nodetaint image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/nodetaint +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/nodetaint ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/nodetaint -- diff --git a/content/chainguard/chainguard-images/reference/ntpd-rs/provenance_info.md b/content/chainguard/chainguard-images/reference/ntpd-rs/provenance_info.md index fcd02b6113..e2c96804b9 100644 --- a/content/chainguard/chainguard-images/reference/ntpd-rs/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ntpd-rs/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying ntpd-rs Image Signatures The **ntpd-rs** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading ntpd-rs Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the ntpd-rs image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ntpd-rs image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/ntpd-rs | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/ntpd-rs | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying ntpd-rs Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the ntpd-rs image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/ntpd-rs +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/ntpd-rs ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/ntpd-rs -- diff --git a/content/chainguard/chainguard-images/reference/nvidia-device-plugin/provenance_info.md b/content/chainguard/chainguard-images/reference/nvidia-device-plugin/provenance_info.md index 24cd91c3a1..1668c06539 100644 --- a/content/chainguard/chainguard-images/reference/nvidia-device-plugin/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nvidia-device-plugin/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying nvidia-device-plugin Image Signatures The **nvidia-device-plugin** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading nvidia-device-plugin Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the nvidia-device-plugin image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nvidia-device-plugin image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/nvidia-device-plugin | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/nvidia-device-plugin | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying nvidia-device-plugin Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the nvidia-device-plugin image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/nvidia-device-plugin +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/nvidia-device-plugin ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/nvidia-device-plugin -- diff --git a/content/chainguard/chainguard-images/reference/oauth2-proxy/provenance_info.md b/content/chainguard/chainguard-images/reference/oauth2-proxy/provenance_info.md index 28adecb5bb..067ea781d1 100644 --- a/content/chainguard/chainguard-images/reference/oauth2-proxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/oauth2-proxy/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying oauth2-proxy Image Signatures The **oauth2-proxy** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading oauth2-proxy Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the oauth2-proxy image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the oauth2-proxy image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/oauth2-proxy | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/oauth2-proxy | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying oauth2-proxy Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the oauth2-proxy image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/oauth2-proxy +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/oauth2-proxy ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/oauth2-proxy -- diff --git a/content/chainguard/chainguard-images/reference/oauth2-proxy/tags_history.md b/content/chainguard/chainguard-images/reference/oauth2-proxy/tags_history.md index d63b0d6404..a096716767 100644 --- a/content/chainguard/chainguard-images/reference/oauth2-proxy/tags_history.md +++ b/content/chainguard/chainguard-images/reference/oauth2-proxy/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:7b17aebcba9ff0db760d02516500b7f54dd2a3f9e807af5609cb2ea23572063d` | -| `latest` | October 30th | `sha256:1f583b819476025b84da5760c344054006e4237788362e5368daef02632d4ede` | +| `latest-dev` | November 8th | `sha256:0abcb8656c81bd892c1317218b7aa966c4e399cb064f9077cf473b6a5db246c3` | +| `latest` | November 8th | `sha256:10e215348e45f7a35ce906d538b5ed2e01eb1fc58b860b05df7aadf4ddfe0372` | diff --git a/content/chainguard/chainguard-images/reference/openai/provenance_info.md b/content/chainguard/chainguard-images/reference/openai/provenance_info.md index ee0413cde0..50d99cddff 100644 --- a/content/chainguard/chainguard-images/reference/openai/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/openai/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying openai Image Signatures The **openai** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading openai Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the openai image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the openai image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/openai | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/openai | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying openai Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the openai image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/openai +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/openai ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/openai -- diff --git a/content/chainguard/chainguard-images/reference/opensearch/provenance_info.md b/content/chainguard/chainguard-images/reference/opensearch/provenance_info.md index 005498a32b..2e6f34304f 100644 --- a/content/chainguard/chainguard-images/reference/opensearch/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/opensearch/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying opensearch Image Signatures The **opensearch** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading opensearch Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the opensearch image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the opensearch image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/opensearch | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/opensearch | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying opensearch Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the opensearch image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/opensearch +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/opensearch ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/opensearch -- diff --git a/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/provenance_info.md b/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/provenance_info.md index a78ff0dc30..868ba0e2d1 100644 --- a/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying opentelemetry-collector-contrib Image Signatures The **opentelemetry-collector-contrib** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading opentelemetry-collector-contrib Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the opentelemetry-collector-contrib image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the opentelemetry-collector-contrib image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/opentelemetry-collector-contrib | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/opentelemetry-collector-contrib | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying opentelemetry-collector-contrib Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the opentelemetry-collector-contrib image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/opentelemetry-collector-contrib +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/opentelemetry-collector-contrib ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/opentelemetry-collector-contrib -- diff --git a/content/chainguard/chainguard-images/reference/opentofu/provenance_info.md b/content/chainguard/chainguard-images/reference/opentofu/provenance_info.md index 0efa988bb6..527fad6b93 100644 --- a/content/chainguard/chainguard-images/reference/opentofu/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/opentofu/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying opentofu Image Signatures The **opentofu** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading opentofu Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the opentofu image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the opentofu image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/opentofu | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/opentofu | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying opentofu Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the opentofu image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/opentofu +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/opentofu ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/opentofu -- diff --git a/content/chainguard/chainguard-images/reference/paranoia/provenance_info.md b/content/chainguard/chainguard-images/reference/paranoia/provenance_info.md index b43b8470a4..fe090e18a2 100644 --- a/content/chainguard/chainguard-images/reference/paranoia/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/paranoia/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying paranoia Image Signatures The **paranoia** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading paranoia Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the paranoia image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the paranoia image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/paranoia | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/paranoia | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying paranoia Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the paranoia image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/paranoia +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/paranoia ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/paranoia -- diff --git a/content/chainguard/chainguard-images/reference/pgbouncer/provenance_info.md b/content/chainguard/chainguard-images/reference/pgbouncer/provenance_info.md index 674865c636..1a3461e58b 100644 --- a/content/chainguard/chainguard-images/reference/pgbouncer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/pgbouncer/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying pgbouncer Image Signatures The **pgbouncer** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading pgbouncer Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the pgbouncer image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the pgbouncer image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/pgbouncer | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/pgbouncer | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying pgbouncer Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the pgbouncer image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/pgbouncer +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/pgbouncer ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/pgbouncer -- diff --git a/content/chainguard/chainguard-images/reference/php/provenance_info.md b/content/chainguard/chainguard-images/reference/php/provenance_info.md index d20019d0a5..5f9a60c454 100644 --- a/content/chainguard/chainguard-images/reference/php/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/php/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying php Image Signatures The **php** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading php Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the php image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the php image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/php | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/php | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying php Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the php image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/php +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/php ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/php -- diff --git a/content/chainguard/chainguard-images/reference/postgres/provenance_info.md b/content/chainguard/chainguard-images/reference/postgres/provenance_info.md index afbcfab116..84c0f8dced 100644 --- a/content/chainguard/chainguard-images/reference/postgres/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/postgres/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying postgres Image Signatures The **postgres** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading postgres Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the postgres image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the postgres image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/postgres | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/postgres | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying postgres Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the postgres image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/postgres +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/postgres ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/postgres -- diff --git a/content/chainguard/chainguard-images/reference/powershell/provenance_info.md b/content/chainguard/chainguard-images/reference/powershell/provenance_info.md index e06c54bce5..c175a888da 100644 --- a/content/chainguard/chainguard-images/reference/powershell/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/powershell/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying powershell Image Signatures The **powershell** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading powershell Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the powershell image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the powershell image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/powershell | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/powershell | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying powershell Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the powershell image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/powershell +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/powershell ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/powershell -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-adapter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-adapter/provenance_info.md index 02ec937f2a..87cea19918 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-adapter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-adapter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-adapter Image Signatures The **prometheus-adapter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-adapter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-adapter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-adapter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-adapter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-adapter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-adapter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-adapter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-adapter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-adapter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-adapter -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-alertmanager/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-alertmanager/provenance_info.md index 98a2080e46..bb418b3baa 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-alertmanager/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-alertmanager/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-alertmanager Image Signatures The **prometheus-alertmanager** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-alertmanager Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-alertmanager image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-alertmanager image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-alertmanager | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-alertmanager | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-alertmanager Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-alertmanager image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-alertmanager +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-alertmanager ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-alertmanager -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/provenance_info.md index 158c7222f5..1f6554e7c2 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-cloudwatch-exporter Image Signatures The **prometheus-cloudwatch-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-cloudwatch-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-cloudwatch-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-cloudwatch-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-cloudwatch-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-cloudwatch-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-cloudwatch-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-cloudwatch-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-cloudwatch-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-cloudwatch-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-cloudwatch-exporter -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-config-reloader/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-config-reloader/provenance_info.md index 7d7d475192..4ecb0f5325 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-config-reloader/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-config-reloader/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-config-reloader Image Signatures The **prometheus-config-reloader** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-config-reloader Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-config-reloader image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-config-reloader image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-config-reloader | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-config-reloader | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-config-reloader Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-config-reloader image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-config-reloader +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-config-reloader ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-config-reloader -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-config-reloader/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-config-reloader/tags_history.md index d3350630c1..be1431110a 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-config-reloader/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-config-reloader/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest` | November 7th | `sha256:61f546cc4f0070ea4fd678ebf602a192c4f23d773c313af2616968f0cd883af8` | -| `latest-dev` | November 7th | `sha256:bbf73c1c91c0cb879efcf63ec1014506172839e956828baaafe7a784507165a6` | +| `latest` | November 8th | `sha256:fae178252f880842b8f3aed4e1b71348d4e79b8d62cd959f077773d591912593` | +| `latest-dev` | November 8th | `sha256:d3aecb2206389745b31ea5bc2fb8b25e0931c49f0aa5d1f96a234fcaaced0bdb` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/provenance_info.md index 6a099abc4b..c0afb4bb6c 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-elasticsearch-exporter Image Signatures The **prometheus-elasticsearch-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-elasticsearch-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-elasticsearch-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-elasticsearch-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-elasticsearch-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-elasticsearch-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-elasticsearch-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-elasticsearch-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-elasticsearch-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-elasticsearch-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-elasticsearch-exporter -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/provenance_info.md index 2b180330f0..eefe9ff154 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-mongodb-exporter Image Signatures The **prometheus-mongodb-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-mongodb-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-mongodb-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-mongodb-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-mongodb-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-mongodb-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-mongodb-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-mongodb-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-mongodb-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-mongodb-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-mongodb-exporter -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/provenance_info.md index 859fe16ccb..fc6d596673 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-mysqld-exporter Image Signatures The **prometheus-mysqld-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-mysqld-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-mysqld-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-mysqld-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-mysqld-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-mysqld-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-mysqld-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-mysqld-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-mysqld-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-mysqld-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-mysqld-exporter -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-node-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-node-exporter/provenance_info.md index df6c3d3b2d..4a5e75c876 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-node-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-node-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-node-exporter Image Signatures The **prometheus-node-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-node-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-node-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-node-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-node-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-node-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-node-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-node-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-node-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-node-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-node-exporter -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-operator/provenance_info.md index 0e42a62ebb..4bdd78c479 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-operator Image Signatures The **prometheus-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-operator -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-operator/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-operator/tags_history.md index f9662e1564..f8b6020430 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-operator/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:0947ee0b70cf9805080d91425e0bb828f0098373d01d674279270b3d2fc5a3cb` | -| `latest` | November 7th | `sha256:98aca5d2a6fc7394e9b0bc7c588d88fcafb3200f9f282dba137a8e550a2c09cc` | +| `latest-dev` | November 8th | `sha256:742ecab5bfc7b0b74e60b06f5438d06bd0f6a330538e85a2fd3f21967ee2c4a5` | +| `latest` | November 8th | `sha256:358e5f9f8db491b9d936525ef60b3843da2b92d53ae3f7c5cb52a0d7cc65734b` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/provenance_info.md index fc3194d943..49dd1754f5 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-postgres-exporter Image Signatures The **prometheus-postgres-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-postgres-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-postgres-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-postgres-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-postgres-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-postgres-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-postgres-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-postgres-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-postgres-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-postgres-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-postgres-exporter -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/provenance_info.md index 9883576259..26e2209ae6 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-pushgateway-bitnami Image Signatures The **prometheus-pushgateway-bitnami** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-pushgateway-bitnami Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-pushgateway-bitnami image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-pushgateway-bitnami image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-pushgateway-bitnami | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-pushgateway-bitnami | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-pushgateway-bitnami Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-pushgateway-bitnami image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-pushgateway-bitnami +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-pushgateway-bitnami ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-pushgateway-bitnami -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-pushgateway/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-pushgateway/provenance_info.md index 4f8e1e94de..34e6174a3d 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-pushgateway/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-pushgateway/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-pushgateway Image Signatures The **prometheus-pushgateway** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-pushgateway Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-pushgateway image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-pushgateway image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-pushgateway | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-pushgateway | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-pushgateway Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-pushgateway image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-pushgateway +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-pushgateway ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-pushgateway -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-pushgateway/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-pushgateway/tags_history.md index 6e87234bb2..b5bd87fa24 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-pushgateway/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-pushgateway/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest-dev` | November 7th | `sha256:ebab074d921282e927b60f74322300f7fefe9a62f5b4e4a015986c61b650c1fb` | -| `latest` | October 30th | `sha256:7ffebd23f91fe481d33778d068bc94b89ce499c2d0ca9d9603d4f592fae800e0` | +| `latest-dev` | November 8th | `sha256:5a5a73cc0b0ef72577602660763151dee4ee1a37939f8e9147e88d2098da69c6` | +| `latest` | November 8th | `sha256:beb489206fb58e57beeaba25071365e033487f11240755869b74981714e744c0` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/provenance_info.md index 1d243f6cad..9e1678919b 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-redis-exporter Image Signatures The **prometheus-redis-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-redis-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-redis-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-redis-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-redis-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-redis-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-redis-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-redis-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-redis-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-redis-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-redis-exporter -- diff --git a/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/provenance_info.md index 0da84b20e7..da74ba72c1 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus-statsd-exporter Image Signatures The **prometheus-statsd-exporter** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus-statsd-exporter Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus-statsd-exporter image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-statsd-exporter image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus-statsd-exporter | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus-statsd-exporter | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus-statsd-exporter Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus-statsd-exporter image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus-statsd-exporter +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus-statsd-exporter ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus-statsd-exporter -- diff --git a/content/chainguard/chainguard-images/reference/prometheus/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus/provenance_info.md index da6562a314..d8a010fdd8 100644 --- a/content/chainguard/chainguard-images/reference/prometheus/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying prometheus Image Signatures The **prometheus** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading prometheus Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the prometheus image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/prometheus | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/prometheus | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying prometheus Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the prometheus image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/prometheus +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/prometheus ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/prometheus -- diff --git a/content/chainguard/chainguard-images/reference/promtail/provenance_info.md b/content/chainguard/chainguard-images/reference/promtail/provenance_info.md index 1b5277a432..37df53682a 100644 --- a/content/chainguard/chainguard-images/reference/promtail/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/promtail/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying promtail Image Signatures The **promtail** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading promtail Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the promtail image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the promtail image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/promtail | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/promtail | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying promtail Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the promtail image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/promtail +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/promtail ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/promtail -- diff --git a/content/chainguard/chainguard-images/reference/proxysql/provenance_info.md b/content/chainguard/chainguard-images/reference/proxysql/provenance_info.md index 507472cc13..7f24add7df 100644 --- a/content/chainguard/chainguard-images/reference/proxysql/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/proxysql/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying proxysql Image Signatures The **proxysql** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading proxysql Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the proxysql image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the proxysql image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/proxysql | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/proxysql | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying proxysql Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the proxysql image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/proxysql +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/proxysql ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/proxysql -- diff --git a/content/chainguard/chainguard-images/reference/pulumi/provenance_info.md b/content/chainguard/chainguard-images/reference/pulumi/provenance_info.md index e271be5d44..586f580e45 100644 --- a/content/chainguard/chainguard-images/reference/pulumi/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/pulumi/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying pulumi Image Signatures The **pulumi** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading pulumi Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the pulumi image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the pulumi image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/pulumi | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/pulumi | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying pulumi Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the pulumi image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/pulumi +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/pulumi ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/pulumi -- diff --git a/content/chainguard/chainguard-images/reference/python/provenance_info.md b/content/chainguard/chainguard-images/reference/python/provenance_info.md index 4b5542e64a..1c61816f0a 100644 --- a/content/chainguard/chainguard-images/reference/python/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/python/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying python Image Signatures The **python** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading python Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the python image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the python image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/python | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/python | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying python Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the python image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/python +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/python ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/python -- diff --git a/content/chainguard/chainguard-images/reference/r-base/provenance_info.md b/content/chainguard/chainguard-images/reference/r-base/provenance_info.md index 3f6345bdf9..c0dafcd6da 100644 --- a/content/chainguard/chainguard-images/reference/r-base/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/r-base/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying r-base Image Signatures The **r-base** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading r-base Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the r-base image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the r-base image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/r-base | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/r-base | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying r-base Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the r-base image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/r-base +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/r-base ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/r-base -- diff --git a/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/provenance_info.md index a4bbfa9a91..81002169e5 100644 --- a/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying rabbitmq-cluster-operator Image Signatures The **rabbitmq-cluster-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading rabbitmq-cluster-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the rabbitmq-cluster-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rabbitmq-cluster-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/rabbitmq-cluster-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/rabbitmq-cluster-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying rabbitmq-cluster-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the rabbitmq-cluster-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/rabbitmq-cluster-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/rabbitmq-cluster-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/rabbitmq-cluster-operator -- diff --git a/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/provenance_info.md index b4eebb389c..23423104f6 100644 --- a/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying rabbitmq-messaging-topology-operator Image Signatures The **rabbitmq-messaging-topology-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading rabbitmq-messaging-topology-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the rabbitmq-messaging-topology-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rabbitmq-messaging-topology-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/rabbitmq-messaging-topology-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/rabbitmq-messaging-topology-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying rabbitmq-messaging-topology-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the rabbitmq-messaging-topology-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/rabbitmq-messaging-topology-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/rabbitmq-messaging-topology-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/rabbitmq-messaging-topology-operator -- diff --git a/content/chainguard/chainguard-images/reference/rabbitmq/provenance_info.md b/content/chainguard/chainguard-images/reference/rabbitmq/provenance_info.md index d1c157af3f..77ab007991 100644 --- a/content/chainguard/chainguard-images/reference/rabbitmq/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rabbitmq/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying rabbitmq Image Signatures The **rabbitmq** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading rabbitmq Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the rabbitmq image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rabbitmq image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/rabbitmq | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/rabbitmq | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying rabbitmq Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the rabbitmq image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/rabbitmq +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/rabbitmq ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/rabbitmq -- diff --git a/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/provenance_info.md b/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/provenance_info.md index b82d033cbe..9de0706e14 100644 --- a/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying redis-cluster-bitnami Image Signatures The **redis-cluster-bitnami** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading redis-cluster-bitnami Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the redis-cluster-bitnami image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-cluster-bitnami image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/redis-cluster-bitnami | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/redis-cluster-bitnami | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying redis-cluster-bitnami Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the redis-cluster-bitnami image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/redis-cluster-bitnami +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/redis-cluster-bitnami ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/redis-cluster-bitnami -- diff --git a/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/provenance_info.md b/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/provenance_info.md index 63b7831cb8..ae97a27f94 100644 --- a/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying redis-sentinel-bitnami Image Signatures The **redis-sentinel-bitnami** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading redis-sentinel-bitnami Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the redis-sentinel-bitnami image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-sentinel-bitnami image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/redis-sentinel-bitnami | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/redis-sentinel-bitnami | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying redis-sentinel-bitnami Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the redis-sentinel-bitnami image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/redis-sentinel-bitnami +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/redis-sentinel-bitnami ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/redis-sentinel-bitnami -- diff --git a/content/chainguard/chainguard-images/reference/redis-sentinel/provenance_info.md b/content/chainguard/chainguard-images/reference/redis-sentinel/provenance_info.md index 8f959ed0eb..bf4025df74 100644 --- a/content/chainguard/chainguard-images/reference/redis-sentinel/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis-sentinel/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying redis-sentinel Image Signatures The **redis-sentinel** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading redis-sentinel Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the redis-sentinel image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-sentinel image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/redis-sentinel | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/redis-sentinel | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying redis-sentinel Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the redis-sentinel image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/redis-sentinel +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/redis-sentinel ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/redis-sentinel -- diff --git a/content/chainguard/chainguard-images/reference/redis-server-bitnami/provenance_info.md b/content/chainguard/chainguard-images/reference/redis-server-bitnami/provenance_info.md index 5916c312ca..77c6b94682 100644 --- a/content/chainguard/chainguard-images/reference/redis-server-bitnami/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis-server-bitnami/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying redis-server-bitnami Image Signatures The **redis-server-bitnami** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading redis-server-bitnami Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the redis-server-bitnami image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-server-bitnami image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/redis-server-bitnami | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/redis-server-bitnami | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying redis-server-bitnami Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the redis-server-bitnami image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/redis-server-bitnami +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/redis-server-bitnami ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/redis-server-bitnami -- diff --git a/content/chainguard/chainguard-images/reference/redis/provenance_info.md b/content/chainguard/chainguard-images/reference/redis/provenance_info.md index 48a9ce36f5..642cc8c08d 100644 --- a/content/chainguard/chainguard-images/reference/redis/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying redis Image Signatures The **redis** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading redis Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the redis image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/redis | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/redis | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying redis Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the redis image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/redis +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/redis ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/redis -- diff --git a/content/chainguard/chainguard-images/reference/rekor-backfill-redis/provenance_info.md b/content/chainguard/chainguard-images/reference/rekor-backfill-redis/provenance_info.md index 31fb663b66..735fd2b14a 100644 --- a/content/chainguard/chainguard-images/reference/rekor-backfill-redis/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rekor-backfill-redis/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying rekor-backfill-redis Image Signatures The **rekor-backfill-redis** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading rekor-backfill-redis Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the rekor-backfill-redis image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rekor-backfill-redis image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/rekor-backfill-redis | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/rekor-backfill-redis | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying rekor-backfill-redis Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the rekor-backfill-redis image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/rekor-backfill-redis +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/rekor-backfill-redis ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/rekor-backfill-redis -- diff --git a/content/chainguard/chainguard-images/reference/rekor-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/rekor-cli/provenance_info.md index b73d761377..81f6ffacd3 100644 --- a/content/chainguard/chainguard-images/reference/rekor-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rekor-cli/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying rekor-cli Image Signatures The **rekor-cli** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading rekor-cli Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the rekor-cli image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rekor-cli image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/rekor-cli | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/rekor-cli | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying rekor-cli Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the rekor-cli image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/rekor-cli +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/rekor-cli ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/rekor-cli -- diff --git a/content/chainguard/chainguard-images/reference/rekor-server/provenance_info.md b/content/chainguard/chainguard-images/reference/rekor-server/provenance_info.md index 823b13ffa9..ecc8692ec3 100644 --- a/content/chainguard/chainguard-images/reference/rekor-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rekor-server/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying rekor-server Image Signatures The **rekor-server** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading rekor-server Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the rekor-server image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rekor-server image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/rekor-server | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/rekor-server | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying rekor-server Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the rekor-server image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/rekor-server +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/rekor-server ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/rekor-server -- diff --git a/content/chainguard/chainguard-images/reference/rqlite/provenance_info.md b/content/chainguard/chainguard-images/reference/rqlite/provenance_info.md index 1eb5f68384..c7c95cdd18 100644 --- a/content/chainguard/chainguard-images/reference/rqlite/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rqlite/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying rqlite Image Signatures The **rqlite** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading rqlite Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the rqlite image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rqlite image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/rqlite | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/rqlite | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying rqlite Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the rqlite image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/rqlite +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/rqlite ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/rqlite -- diff --git a/content/chainguard/chainguard-images/reference/ruby/provenance_info.md b/content/chainguard/chainguard-images/reference/ruby/provenance_info.md index dee70e4a53..239ecfc522 100644 --- a/content/chainguard/chainguard-images/reference/ruby/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ruby/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying ruby Image Signatures The **ruby** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading ruby Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the ruby image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ruby image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/ruby | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/ruby | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying ruby Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the ruby image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/ruby +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/ruby ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/ruby -- diff --git a/content/chainguard/chainguard-images/reference/rust/provenance_info.md b/content/chainguard/chainguard-images/reference/rust/provenance_info.md index c8f9404b48..ffdb93934c 100644 --- a/content/chainguard/chainguard-images/reference/rust/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rust/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying rust Image Signatures The **rust** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading rust Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the rust image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rust image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/rust | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/rust | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying rust Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the rust image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/rust +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/rust ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/rust -- diff --git a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/provenance_info.md b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/provenance_info.md index e5540a1cfb..e30aff97e6 100644 --- a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying secrets-store-csi-driver-provider-gcp Image Signatures The **secrets-store-csi-driver-provider-gcp** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading secrets-store-csi-driver-provider-gcp Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the secrets-store-csi-driver-provider-gcp image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the secrets-store-csi-driver-provider-gcp image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying secrets-store-csi-driver-provider-gcp Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the secrets-store-csi-driver-provider-gcp image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp -- diff --git a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/provenance_info.md b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/provenance_info.md index 711e62d4ec..9093a86de6 100644 --- a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying secrets-store-csi-driver Image Signatures The **secrets-store-csi-driver** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading secrets-store-csi-driver Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the secrets-store-csi-driver image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the secrets-store-csi-driver image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/secrets-store-csi-driver | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/secrets-store-csi-driver | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying secrets-store-csi-driver Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the secrets-store-csi-driver image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/secrets-store-csi-driver +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/secrets-store-csi-driver ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/secrets-store-csi-driver -- diff --git a/content/chainguard/chainguard-images/reference/semgrep/provenance_info.md b/content/chainguard/chainguard-images/reference/semgrep/provenance_info.md index 8e19fc9828..513838c372 100644 --- a/content/chainguard/chainguard-images/reference/semgrep/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/semgrep/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying semgrep Image Signatures The **semgrep** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading semgrep Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the semgrep image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the semgrep image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/semgrep | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/semgrep | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying semgrep Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the semgrep image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/semgrep +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/semgrep ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/semgrep -- diff --git a/content/chainguard/chainguard-images/reference/semgrep/tags_history.md b/content/chainguard/chainguard-images/reference/semgrep/tags_history.md index 4f836d5565..b29317b723 100644 --- a/content/chainguard/chainguard-images/reference/semgrep/tags_history.md +++ b/content/chainguard/chainguard-images/reference/semgrep/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest` | November 7th | `sha256:a7b0673d34b0d810adddca4a9dd5a0835ff7e006134ea698d442eb6ad13b742b` | -| `latest-dev` | November 7th | `sha256:0bebe8326a38c10307a3c6031b0261ce9c4d8bad61f40a67b15c6039d4f5fd52` | +| `latest` | November 8th | `sha256:3638372b4ee7bab6757d938547ab9b13b6eaf6c9298984ac847c76606c39f1d8` | +| `latest-dev` | November 8th | `sha256:4d3774c8685f90b73e6e71eb7ff93861981941abcfb58b146c9f77cc9a2be6b9` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/provenance_info.md index 99cecc50c2..dce4c905f5 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-cloudsqlproxy Image Signatures The **sigstore-scaffolding-cloudsqlproxy** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-cloudsqlproxy Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-cloudsqlproxy image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-cloudsqlproxy image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-cloudsqlproxy | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-cloudsqlproxy | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-cloudsqlproxy Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-cloudsqlproxy image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-cloudsqlproxy +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-cloudsqlproxy ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-cloudsqlproxy -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/provenance_info.md index 960c08bf08..ebe2b447db 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-ctlog-createctconfig Image Signatures The **sigstore-scaffolding-ctlog-createctconfig** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-ctlog-createctconfig Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-ctlog-createctconfig image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-ctlog-createctconfig image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-ctlog-createctconfig | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-ctlog-createctconfig | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-ctlog-createctconfig Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-ctlog-createctconfig image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-ctlog-createctconfig +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-ctlog-createctconfig ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-ctlog-createctconfig -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/provenance_info.md index f5c61a092d..fa3234aefb 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-ctlog-managectroots Image Signatures The **sigstore-scaffolding-ctlog-managectroots** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-ctlog-managectroots Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-ctlog-managectroots image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-ctlog-managectroots image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-ctlog-managectroots | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-ctlog-managectroots | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-ctlog-managectroots Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-ctlog-managectroots image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-ctlog-managectroots +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-ctlog-managectroots ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-ctlog-managectroots -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md index 81d493fd9c..7e4c801889 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-ctlog-verifyfulcio Image Signatures The **sigstore-scaffolding-ctlog-verifyfulcio** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-ctlog-verifyfulcio Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-ctlog-verifyfulcio image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-ctlog-verifyfulcio image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-ctlog-verifyfulcio | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-ctlog-verifyfulcio | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-ctlog-verifyfulcio Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-ctlog-verifyfulcio image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-ctlog-verifyfulcio +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-ctlog-verifyfulcio ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-ctlog-verifyfulcio -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/provenance_info.md index 1b1254f160..386668f954 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-fulcio-createcerts Image Signatures The **sigstore-scaffolding-fulcio-createcerts** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-fulcio-createcerts Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-fulcio-createcerts image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-fulcio-createcerts image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-fulcio-createcerts | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-fulcio-createcerts | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-fulcio-createcerts Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-fulcio-createcerts image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-fulcio-createcerts +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-fulcio-createcerts ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-fulcio-createcerts -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/provenance_info.md index 95818b6b28..4f2160702c 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-getoidctoken Image Signatures The **sigstore-scaffolding-getoidctoken** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-getoidctoken Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-getoidctoken image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-getoidctoken image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-getoidctoken | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-getoidctoken | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-getoidctoken Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-getoidctoken image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-getoidctoken +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-getoidctoken ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-getoidctoken -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/provenance_info.md index bf05bd1653..6b9e8c07ab 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-rekor-createsecret Image Signatures The **sigstore-scaffolding-rekor-createsecret** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-rekor-createsecret Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-rekor-createsecret image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-rekor-createsecret image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-rekor-createsecret | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-rekor-createsecret | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-rekor-createsecret Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-rekor-createsecret image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-rekor-createsecret +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-rekor-createsecret ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-rekor-createsecret -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/provenance_info.md index 07384ea544..578bf10f98 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-trillian-createdb Image Signatures The **sigstore-scaffolding-trillian-createdb** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-trillian-createdb Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-trillian-createdb image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-trillian-createdb image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-trillian-createdb | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-trillian-createdb | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-trillian-createdb Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-trillian-createdb image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-trillian-createdb +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-trillian-createdb ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-trillian-createdb -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/provenance_info.md index 9d0f4116df..14678108a2 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-trillian-createtree Image Signatures The **sigstore-scaffolding-trillian-createtree** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-trillian-createtree Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-trillian-createtree image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-trillian-createtree image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-trillian-createtree | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-trillian-createtree | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-trillian-createtree Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-trillian-createtree image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-trillian-createtree +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-trillian-createtree ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-trillian-createtree -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/provenance_info.md index d2689eeaad..57f2166d5f 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-trillian-updatetree Image Signatures The **sigstore-scaffolding-trillian-updatetree** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-trillian-updatetree Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-trillian-updatetree image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-trillian-updatetree image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-trillian-updatetree | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-trillian-updatetree | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-trillian-updatetree Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-trillian-updatetree image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-trillian-updatetree +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-trillian-updatetree ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-trillian-updatetree -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/provenance_info.md index e51cc7a13f..718c29d408 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-tsa-createcertchain Image Signatures The **sigstore-scaffolding-tsa-createcertchain** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-tsa-createcertchain Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-tsa-createcertchain image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tsa-createcertchain image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-tsa-createcertchain Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-tsa-createcertchain image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/provenance_info.md index b20e285403..0903a50529 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-tuf-createsecret Image Signatures The **sigstore-scaffolding-tuf-createsecret** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-tuf-createsecret Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-tuf-createsecret image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tuf-createsecret image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-tuf-createsecret | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-tuf-createsecret | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-tuf-createsecret Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-tuf-createsecret image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-tuf-createsecret +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-tuf-createsecret ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-tuf-createsecret -- diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/provenance_info.md index 7514308a78..ac8f5a0f64 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying sigstore-scaffolding-tuf-server Image Signatures The **sigstore-scaffolding-tuf-server** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading sigstore-scaffolding-tuf-server Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the sigstore-scaffolding-tuf-server image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tuf-server image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/sigstore-scaffolding-tuf-server | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/sigstore-scaffolding-tuf-server | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying sigstore-scaffolding-tuf-server Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the sigstore-scaffolding-tuf-server image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/sigstore-scaffolding-tuf-server +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/sigstore-scaffolding-tuf-server ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/sigstore-scaffolding-tuf-server -- diff --git a/content/chainguard/chainguard-images/reference/skaffold/provenance_info.md b/content/chainguard/chainguard-images/reference/skaffold/provenance_info.md index a79d81623a..2f9c9eb707 100644 --- a/content/chainguard/chainguard-images/reference/skaffold/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/skaffold/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying skaffold Image Signatures The **skaffold** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading skaffold Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the skaffold image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the skaffold image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/skaffold | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/skaffold | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying skaffold Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the skaffold image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/skaffold +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/skaffold ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/skaffold -- diff --git a/content/chainguard/chainguard-images/reference/skaffold/tags_history.md b/content/chainguard/chainguard-images/reference/skaffold/tags_history.md index 9e4742e6ff..f029cddbc3 100644 --- a/content/chainguard/chainguard-images/reference/skaffold/tags_history.md +++ b/content/chainguard/chainguard-images/reference/skaffold/tags_history.md @@ -25,6 +25,6 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|--------------|---------------------------------------------------------------------------| -| `latest` | November 7th | `sha256:06fce987fd20b8e36515007fa9f15134a32ca624322a9aaa372d87a51164ba86` | -| `latest-dev` | November 7th | `sha256:2dfe8f2e46da20f624adf1e0212a68fc5e5890ab428ea49fb050e0cb57acb06d` | +| `latest-dev` | November 8th | `sha256:2a678f57269f5531d6f8944b255b7c43ad44a43a6019abfe6eca447ef6abb8e7` | +| `latest` | November 8th | `sha256:54629a2ad74ddbe5dfd18cf65768e9478a2100f50bef5fc8c58ff9405efb87cb` | diff --git a/content/chainguard/chainguard-images/reference/slim-toolkit-debug/provenance_info.md b/content/chainguard/chainguard-images/reference/slim-toolkit-debug/provenance_info.md index 0c763f1e0a..6b022140e9 100644 --- a/content/chainguard/chainguard-images/reference/slim-toolkit-debug/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/slim-toolkit-debug/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying slim-toolkit-debug Image Signatures The **slim-toolkit-debug** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading slim-toolkit-debug Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the slim-toolkit-debug image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the slim-toolkit-debug image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/slim-toolkit-debug | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/slim-toolkit-debug | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying slim-toolkit-debug Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the slim-toolkit-debug image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/slim-toolkit-debug +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/slim-toolkit-debug ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/slim-toolkit-debug -- diff --git a/content/chainguard/chainguard-images/reference/smarter-device-manager/provenance_info.md b/content/chainguard/chainguard-images/reference/smarter-device-manager/provenance_info.md index c115732cbd..7f18fe757c 100644 --- a/content/chainguard/chainguard-images/reference/smarter-device-manager/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/smarter-device-manager/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying smarter-device-manager Image Signatures The **smarter-device-manager** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading smarter-device-manager Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the smarter-device-manager image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the smarter-device-manager image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/smarter-device-manager | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/smarter-device-manager | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying smarter-device-manager Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the smarter-device-manager image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/smarter-device-manager +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/smarter-device-manager ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/smarter-device-manager -- diff --git a/content/chainguard/chainguard-images/reference/spark-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/spark-operator/provenance_info.md index 05310c5aaa..dfd5632f57 100644 --- a/content/chainguard/chainguard-images/reference/spark-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/spark-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying spark-operator Image Signatures The **spark-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading spark-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the spark-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spark-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/spark-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/spark-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying spark-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the spark-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/spark-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/spark-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/spark-operator -- diff --git a/content/chainguard/chainguard-images/reference/spire-agent/provenance_info.md b/content/chainguard/chainguard-images/reference/spire-agent/provenance_info.md index 4cd0c8fd88..952c942a9b 100644 --- a/content/chainguard/chainguard-images/reference/spire-agent/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/spire-agent/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying spire-agent Image Signatures The **spire-agent** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading spire-agent Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the spire-agent image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spire-agent image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/spire-agent | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/spire-agent | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying spire-agent Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the spire-agent image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/spire-agent +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/spire-agent ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/spire-agent -- diff --git a/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/provenance_info.md b/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/provenance_info.md index 5afa7d70ca..0539a4d25b 100644 --- a/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying spire-oidc-discovery-provider Image Signatures The **spire-oidc-discovery-provider** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading spire-oidc-discovery-provider Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the spire-oidc-discovery-provider image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spire-oidc-discovery-provider image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/spire-oidc-discovery-provider | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/spire-oidc-discovery-provider | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying spire-oidc-discovery-provider Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the spire-oidc-discovery-provider image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/spire-oidc-discovery-provider +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/spire-oidc-discovery-provider ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/spire-oidc-discovery-provider -- diff --git a/content/chainguard/chainguard-images/reference/spire-server/provenance_info.md b/content/chainguard/chainguard-images/reference/spire-server/provenance_info.md index 4cce03d666..356263a5c0 100644 --- a/content/chainguard/chainguard-images/reference/spire-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/spire-server/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying spire-server Image Signatures The **spire-server** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading spire-server Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the spire-server image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spire-server image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/spire-server | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/spire-server | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying spire-server Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the spire-server image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/spire-server +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/spire-server ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/spire-server -- diff --git a/content/chainguard/chainguard-images/reference/stakater-reloader/provenance_info.md b/content/chainguard/chainguard-images/reference/stakater-reloader/provenance_info.md index b197044751..859db2e618 100644 --- a/content/chainguard/chainguard-images/reference/stakater-reloader/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/stakater-reloader/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying stakater-reloader Image Signatures The **stakater-reloader** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading stakater-reloader Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the stakater-reloader image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the stakater-reloader image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/stakater-reloader | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/stakater-reloader | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying stakater-reloader Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the stakater-reloader image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/stakater-reloader +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/stakater-reloader ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/stakater-reloader -- diff --git a/content/chainguard/chainguard-images/reference/static/provenance_info.md b/content/chainguard/chainguard-images/reference/static/provenance_info.md index 870414e345..88dd39b02f 100644 --- a/content/chainguard/chainguard-images/reference/static/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/static/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying static Image Signatures The **static** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading static Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the static image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the static image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/static | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/static | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying static Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the static image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/static +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/static ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/static -- diff --git a/content/chainguard/chainguard-images/reference/stunnel/provenance_info.md b/content/chainguard/chainguard-images/reference/stunnel/provenance_info.md index a091db9814..26a338bf46 100644 --- a/content/chainguard/chainguard-images/reference/stunnel/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/stunnel/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying stunnel Image Signatures The **stunnel** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading stunnel Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the stunnel image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the stunnel image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/stunnel | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/stunnel | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying stunnel Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the stunnel image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/stunnel +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/stunnel ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/stunnel -- diff --git a/content/chainguard/chainguard-images/reference/tekton-chains/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-chains/provenance_info.md index b2129f0cee..aad5b100e5 100644 --- a/content/chainguard/chainguard-images/reference/tekton-chains/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-chains/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-chains Image Signatures The **tekton-chains** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-chains Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-chains image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-chains image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-chains | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-chains | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-chains Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-chains image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-chains +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-chains ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-chains -- diff --git a/content/chainguard/chainguard-images/reference/tekton-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-cli/provenance_info.md index d7636292aa..60916505bf 100644 --- a/content/chainguard/chainguard-images/reference/tekton-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-cli/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-cli Image Signatures The **tekton-cli** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-cli Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-cli image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-cli image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-cli | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-cli | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-cli Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-cli image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-cli +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-cli ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-cli -- diff --git a/content/chainguard/chainguard-images/reference/tekton-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-controller/provenance_info.md index ad0bf5b198..8a63f37192 100644 --- a/content/chainguard/chainguard-images/reference/tekton-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-controller Image Signatures The **tekton-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-controller -- diff --git a/content/chainguard/chainguard-images/reference/tekton-entrypoint/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-entrypoint/provenance_info.md index 108dce0b98..ab938cc0ba 100644 --- a/content/chainguard/chainguard-images/reference/tekton-entrypoint/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-entrypoint/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-entrypoint Image Signatures The **tekton-entrypoint** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-entrypoint Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-entrypoint image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-entrypoint image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-entrypoint | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-entrypoint | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-entrypoint Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-entrypoint image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-entrypoint +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-entrypoint ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-entrypoint -- diff --git a/content/chainguard/chainguard-images/reference/tekton-events/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-events/provenance_info.md index fd32c1a476..16bb7c4274 100644 --- a/content/chainguard/chainguard-images/reference/tekton-events/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-events/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-events Image Signatures The **tekton-events** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-events Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-events image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-events image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-events | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-events | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-events Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-events image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-events +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-events ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-events -- diff --git a/content/chainguard/chainguard-images/reference/tekton-nop/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-nop/provenance_info.md index 613b9ba2e4..f7d580e470 100644 --- a/content/chainguard/chainguard-images/reference/tekton-nop/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-nop/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-nop Image Signatures The **tekton-nop** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-nop Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-nop image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-nop image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-nop | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-nop | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-nop Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-nop image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-nop +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-nop ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-nop -- diff --git a/content/chainguard/chainguard-images/reference/tekton-resolvers/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-resolvers/provenance_info.md index 3edd5c780f..9d2f1e0bc7 100644 --- a/content/chainguard/chainguard-images/reference/tekton-resolvers/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-resolvers/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-resolvers Image Signatures The **tekton-resolvers** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-resolvers Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-resolvers image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-resolvers image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-resolvers | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-resolvers | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-resolvers Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-resolvers image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-resolvers +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-resolvers ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-resolvers -- diff --git a/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/provenance_info.md index 058b4fc033..d014296d2f 100644 --- a/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-sidecarlogresults Image Signatures The **tekton-sidecarlogresults** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-sidecarlogresults Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-sidecarlogresults image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-sidecarlogresults image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-sidecarlogresults | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-sidecarlogresults | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-sidecarlogresults Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-sidecarlogresults image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-sidecarlogresults +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-sidecarlogresults ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-sidecarlogresults -- diff --git a/content/chainguard/chainguard-images/reference/tekton-webhook/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-webhook/provenance_info.md index 4ad30cd4df..5474dba8fd 100644 --- a/content/chainguard/chainguard-images/reference/tekton-webhook/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-webhook/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-webhook Image Signatures The **tekton-webhook** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-webhook Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-webhook image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-webhook image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-webhook | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-webhook | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-webhook Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-webhook image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-webhook +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-webhook ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-webhook -- diff --git a/content/chainguard/chainguard-images/reference/tekton-workingdirinit/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-workingdirinit/provenance_info.md index c1b53ee8a7..2fa48480e5 100644 --- a/content/chainguard/chainguard-images/reference/tekton-workingdirinit/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-workingdirinit/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tekton-workingdirinit Image Signatures The **tekton-workingdirinit** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tekton-workingdirinit Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tekton-workingdirinit image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-workingdirinit image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tekton-workingdirinit | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tekton-workingdirinit | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tekton-workingdirinit Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tekton-workingdirinit image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tekton-workingdirinit +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tekton-workingdirinit ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tekton-workingdirinit -- diff --git a/content/chainguard/chainguard-images/reference/telegraf/provenance_info.md b/content/chainguard/chainguard-images/reference/telegraf/provenance_info.md index f6355e1e96..b07414f50a 100644 --- a/content/chainguard/chainguard-images/reference/telegraf/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/telegraf/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying telegraf Image Signatures The **telegraf** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading telegraf Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the telegraf image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the telegraf image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/telegraf | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/telegraf | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying telegraf Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the telegraf image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/telegraf +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/telegraf ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/telegraf -- diff --git a/content/chainguard/chainguard-images/reference/terraform/provenance_info.md b/content/chainguard/chainguard-images/reference/terraform/provenance_info.md index cffd4b085f..a7b0f5ec1d 100644 --- a/content/chainguard/chainguard-images/reference/terraform/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/terraform/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying terraform Image Signatures The **terraform** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading terraform Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the terraform image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the terraform image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/terraform | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/terraform | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying terraform Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the terraform image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/terraform +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/terraform ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/terraform -- diff --git a/content/chainguard/chainguard-images/reference/thanos-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/thanos-operator/provenance_info.md index 9bff7ac929..a3b30c6714 100644 --- a/content/chainguard/chainguard-images/reference/thanos-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/thanos-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying thanos-operator Image Signatures The **thanos-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading thanos-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the thanos-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the thanos-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/thanos-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/thanos-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying thanos-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the thanos-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/thanos-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/thanos-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/thanos-operator -- diff --git a/content/chainguard/chainguard-images/reference/thanos/provenance_info.md b/content/chainguard/chainguard-images/reference/thanos/provenance_info.md index 8b1159e0a8..4924c0e654 100644 --- a/content/chainguard/chainguard-images/reference/thanos/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/thanos/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying thanos Image Signatures The **thanos** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading thanos Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the thanos image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the thanos image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/thanos | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/thanos | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying thanos Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the thanos image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/thanos +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/thanos ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/thanos -- diff --git a/content/chainguard/chainguard-images/reference/tigera-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/tigera-operator/provenance_info.md index 9fee43e84b..14d4ac2267 100644 --- a/content/chainguard/chainguard-images/reference/tigera-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tigera-operator/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tigera-operator Image Signatures The **tigera-operator** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tigera-operator Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tigera-operator image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tigera-operator image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tigera-operator | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tigera-operator | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tigera-operator Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tigera-operator image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tigera-operator +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tigera-operator ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tigera-operator -- diff --git a/content/chainguard/chainguard-images/reference/timoni/provenance_info.md b/content/chainguard/chainguard-images/reference/timoni/provenance_info.md index 5b2b929281..b28936e91a 100644 --- a/content/chainguard/chainguard-images/reference/timoni/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/timoni/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying timoni Image Signatures The **timoni** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading timoni Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the timoni image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the timoni image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/timoni | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/timoni | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying timoni Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the timoni image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/timoni +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/timoni ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/timoni -- diff --git a/content/chainguard/chainguard-images/reference/tomcat/provenance_info.md b/content/chainguard/chainguard-images/reference/tomcat/provenance_info.md index 14c53fe94f..ec7b5e20d6 100644 --- a/content/chainguard/chainguard-images/reference/tomcat/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tomcat/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying tomcat Image Signatures The **tomcat** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading tomcat Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the tomcat image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tomcat image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/tomcat | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/tomcat | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying tomcat Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the tomcat image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/tomcat +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/tomcat ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/tomcat -- diff --git a/content/chainguard/chainguard-images/reference/traefik/provenance_info.md b/content/chainguard/chainguard-images/reference/traefik/provenance_info.md index 8f88542b4d..429eb58376 100644 --- a/content/chainguard/chainguard-images/reference/traefik/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/traefik/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying traefik Image Signatures The **traefik** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading traefik Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the traefik image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the traefik image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/traefik | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/traefik | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying traefik Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the traefik image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/traefik +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/traefik ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/traefik -- diff --git a/content/chainguard/chainguard-images/reference/trillian-logserver/provenance_info.md b/content/chainguard/chainguard-images/reference/trillian-logserver/provenance_info.md index b5a441a5ec..4e8cf86aa0 100644 --- a/content/chainguard/chainguard-images/reference/trillian-logserver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/trillian-logserver/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying trillian-logserver Image Signatures The **trillian-logserver** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading trillian-logserver Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the trillian-logserver image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trillian-logserver image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/trillian-logserver | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/trillian-logserver | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying trillian-logserver Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the trillian-logserver image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/trillian-logserver +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/trillian-logserver ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/trillian-logserver -- diff --git a/content/chainguard/chainguard-images/reference/trillian-logsigner/provenance_info.md b/content/chainguard/chainguard-images/reference/trillian-logsigner/provenance_info.md index bda882a9bc..54e0717a37 100644 --- a/content/chainguard/chainguard-images/reference/trillian-logsigner/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/trillian-logsigner/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying trillian-logsigner Image Signatures The **trillian-logsigner** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading trillian-logsigner Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the trillian-logsigner image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trillian-logsigner image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/trillian-logsigner | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/trillian-logsigner | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying trillian-logsigner Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the trillian-logsigner image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/trillian-logsigner +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/trillian-logsigner ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/trillian-logsigner -- diff --git a/content/chainguard/chainguard-images/reference/trino/provenance_info.md b/content/chainguard/chainguard-images/reference/trino/provenance_info.md index da38f45b1b..1377afea97 100644 --- a/content/chainguard/chainguard-images/reference/trino/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/trino/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying trino Image Signatures The **trino** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading trino Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the trino image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trino image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/trino | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/trino | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying trino Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the trino image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/trino +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/trino ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/trino -- diff --git a/content/chainguard/chainguard-images/reference/trust-manager/provenance_info.md b/content/chainguard/chainguard-images/reference/trust-manager/provenance_info.md index 4f5de9f5d3..0e6386277e 100644 --- a/content/chainguard/chainguard-images/reference/trust-manager/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/trust-manager/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying trust-manager Image Signatures The **trust-manager** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading trust-manager Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the trust-manager image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trust-manager image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/trust-manager | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/trust-manager | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying trust-manager Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the trust-manager image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/trust-manager +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/trust-manager ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/trust-manager -- diff --git a/content/chainguard/chainguard-images/reference/vault-k8s/provenance_info.md b/content/chainguard/chainguard-images/reference/vault-k8s/provenance_info.md index 1fd5b010df..e2e5d21cf6 100644 --- a/content/chainguard/chainguard-images/reference/vault-k8s/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vault-k8s/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying vault-k8s Image Signatures The **vault-k8s** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading vault-k8s Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the vault-k8s image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vault-k8s image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/vault-k8s | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/vault-k8s | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying vault-k8s Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the vault-k8s image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/vault-k8s +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/vault-k8s ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/vault-k8s -- diff --git a/content/chainguard/chainguard-images/reference/vault/provenance_info.md b/content/chainguard/chainguard-images/reference/vault/provenance_info.md index 3ee26df5bc..de4b2081d4 100644 --- a/content/chainguard/chainguard-images/reference/vault/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vault/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying vault Image Signatures The **vault** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading vault Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the vault image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vault image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/vault | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/vault | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying vault Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the vault image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/vault +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/vault ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/vault -- diff --git a/content/chainguard/chainguard-images/reference/vela-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/vela-cli/provenance_info.md index 05189d8aa2..0a392b0998 100644 --- a/content/chainguard/chainguard-images/reference/vela-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vela-cli/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying vela-cli Image Signatures The **vela-cli** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading vela-cli Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the vela-cli image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vela-cli image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/vela-cli | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/vela-cli | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying vela-cli Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the vela-cli image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/vela-cli +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/vela-cli ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/vela-cli -- diff --git a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/provenance_info.md index 6ca9bd54e9..35bef95266 100644 --- a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying vertical-pod-autoscaler-admission-controller Image Signatures The **vertical-pod-autoscaler-admission-controller** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading vertical-pod-autoscaler-admission-controller Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the vertical-pod-autoscaler-admission-controller image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vertical-pod-autoscaler-admission-controller image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/vertical-pod-autoscaler-admission-controller | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/vertical-pod-autoscaler-admission-controller | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying vertical-pod-autoscaler-admission-controller Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the vertical-pod-autoscaler-admission-controller image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/vertical-pod-autoscaler-admission-controller +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/vertical-pod-autoscaler-admission-controller ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/vertical-pod-autoscaler-admission-controller -- diff --git a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/provenance_info.md b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/provenance_info.md index 173b8886e8..24a15c6af2 100644 --- a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying vertical-pod-autoscaler-recommender Image Signatures The **vertical-pod-autoscaler-recommender** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading vertical-pod-autoscaler-recommender Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the vertical-pod-autoscaler-recommender image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vertical-pod-autoscaler-recommender image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/vertical-pod-autoscaler-recommender | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/vertical-pod-autoscaler-recommender | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying vertical-pod-autoscaler-recommender Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the vertical-pod-autoscaler-recommender image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/vertical-pod-autoscaler-recommender +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/vertical-pod-autoscaler-recommender ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/vertical-pod-autoscaler-recommender -- diff --git a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/provenance_info.md b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/provenance_info.md index 8029aa425e..bf1874dbf4 100644 --- a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying vertical-pod-autoscaler-updater Image Signatures The **vertical-pod-autoscaler-updater** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading vertical-pod-autoscaler-updater Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the vertical-pod-autoscaler-updater image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vertical-pod-autoscaler-updater image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/vertical-pod-autoscaler-updater | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/vertical-pod-autoscaler-updater | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying vertical-pod-autoscaler-updater Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the vertical-pod-autoscaler-updater image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/vertical-pod-autoscaler-updater +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/vertical-pod-autoscaler-updater ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/vertical-pod-autoscaler-updater -- diff --git a/content/chainguard/chainguard-images/reference/vt/provenance_info.md b/content/chainguard/chainguard-images/reference/vt/provenance_info.md index 8aeedd5a93..92c757460a 100644 --- a/content/chainguard/chainguard-images/reference/vt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vt/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying vt Image Signatures The **vt** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading vt Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the vt image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vt image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/vt | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/vt | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying vt Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the vt image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/vt +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/vt ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/vt -- diff --git a/content/chainguard/chainguard-images/reference/wait-for-it/provenance_info.md b/content/chainguard/chainguard-images/reference/wait-for-it/provenance_info.md index 2f7c771b73..33ce2088d2 100644 --- a/content/chainguard/chainguard-images/reference/wait-for-it/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wait-for-it/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying wait-for-it Image Signatures The **wait-for-it** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading wait-for-it Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the wait-for-it image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wait-for-it image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/wait-for-it | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/wait-for-it | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying wait-for-it Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the wait-for-it image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/wait-for-it +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/wait-for-it ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/wait-for-it -- diff --git a/content/chainguard/chainguard-images/reference/wasmer/provenance_info.md b/content/chainguard/chainguard-images/reference/wasmer/provenance_info.md index b823fbf22c..ce84572998 100644 --- a/content/chainguard/chainguard-images/reference/wasmer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wasmer/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying wasmer Image Signatures The **wasmer** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading wasmer Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the wasmer image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wasmer image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/wasmer | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/wasmer | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying wasmer Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the wasmer image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/wasmer +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/wasmer ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/wasmer -- diff --git a/content/chainguard/chainguard-images/reference/wasmtime/provenance_info.md b/content/chainguard/chainguard-images/reference/wasmtime/provenance_info.md index 1ee095701d..f6218d3a3a 100644 --- a/content/chainguard/chainguard-images/reference/wasmtime/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wasmtime/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying wasmtime Image Signatures The **wasmtime** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading wasmtime Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the wasmtime image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wasmtime image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/wasmtime | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/wasmtime | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying wasmtime Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the wasmtime image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/wasmtime +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/wasmtime ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/wasmtime -- diff --git a/content/chainguard/chainguard-images/reference/wavefront-proxy/provenance_info.md b/content/chainguard/chainguard-images/reference/wavefront-proxy/provenance_info.md index c8a081ab99..6e457ba820 100644 --- a/content/chainguard/chainguard-images/reference/wavefront-proxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wavefront-proxy/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying wavefront-proxy Image Signatures The **wavefront-proxy** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading wavefront-proxy Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the wavefront-proxy image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wavefront-proxy image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/wavefront-proxy | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/wavefront-proxy | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying wavefront-proxy Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the wavefront-proxy image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/wavefront-proxy +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/wavefront-proxy ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/wavefront-proxy -- diff --git a/content/chainguard/chainguard-images/reference/wazero/provenance_info.md b/content/chainguard/chainguard-images/reference/wazero/provenance_info.md index a836104dd8..6fd1e84b35 100644 --- a/content/chainguard/chainguard-images/reference/wazero/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wazero/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying wazero Image Signatures The **wazero** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading wazero Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the wazero image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wazero image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/wazero | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/wazero | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying wazero Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the wazero image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/wazero +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/wazero ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/wazero -- diff --git a/content/chainguard/chainguard-images/reference/weaviate/provenance_info.md b/content/chainguard/chainguard-images/reference/weaviate/provenance_info.md index 48f93f94b5..a8cdd7d938 100644 --- a/content/chainguard/chainguard-images/reference/weaviate/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/weaviate/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying weaviate Image Signatures The **weaviate** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading weaviate Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the weaviate image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the weaviate image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/weaviate | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/weaviate | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying weaviate Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the weaviate image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/weaviate +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/weaviate ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/weaviate -- diff --git a/content/chainguard/chainguard-images/reference/wolfi-base/provenance_info.md b/content/chainguard/chainguard-images/reference/wolfi-base/provenance_info.md index e657d9a39d..57e229ef64 100644 --- a/content/chainguard/chainguard-images/reference/wolfi-base/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wolfi-base/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying wolfi-base Image Signatures The **wolfi-base** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading wolfi-base Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the wolfi-base image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wolfi-base image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/wolfi-base | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/wolfi-base | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying wolfi-base Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the wolfi-base image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/wolfi-base +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/wolfi-base ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/wolfi-base -- diff --git a/content/chainguard/chainguard-images/reference/zig/provenance_info.md b/content/chainguard/chainguard-images/reference/zig/provenance_info.md index 7047f5b5f0..be5a1e92e0 100644 --- a/content/chainguard/chainguard-images/reference/zig/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/zig/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying zig Image Signatures The **zig** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading zig Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the zig image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the zig image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/zig | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/zig | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying zig Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the zig image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/zig +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/zig ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/zig -- diff --git a/content/chainguard/chainguard-images/reference/zookeeper/provenance_info.md b/content/chainguard/chainguard-images/reference/zookeeper/provenance_info.md index 26fe767288..27bf892edc 100644 --- a/content/chainguard/chainguard-images/reference/zookeeper/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/zookeeper/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying zookeeper Image Signatures The **zookeeper** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading zookeeper Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the zookeeper image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the zookeeper image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/zookeeper | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/zookeeper | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying zookeeper Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the zookeeper image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/zookeeper +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/zookeeper ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/zookeeper -- diff --git a/content/chainguard/chainguard-images/reference/zot/provenance_info.md b/content/chainguard/chainguard-images/reference/zot/provenance_info.md index af73c9dbe0..63c36d4d55 100644 --- a/content/chainguard/chainguard-images/reference/zot/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/zot/provenance_info.md @@ -21,7 +21,7 @@ toc: true All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. -## Verifying Image Signatures +## Verifying zot Image Signatures The **zot** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. @@ -32,29 +32,41 @@ cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent. By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. -## Downloading and Verifying SBOMs +## Downloading zot Image Attestations -All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: +The following [attestations](https://slsa.dev/attestation-model) for the zot image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the zot image on `unix/amd64`: ```shell cosign download attestation \ + --platform=unix/amd64 \ --predicate-type=https://spdx.dev/Document \ - cgr.dev/chainguard/zot | jq -r .payload | base64 -d | jq + cgr.dev/chainguard/zot | jq -r .payload | base64 -d | jq .predicate ``` -By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. -With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: +## Verifying zot Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the zot image attestations: ```shell cosign verify-attestation \ - --type https://spdx.dev/Document \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ - --platform=linux/amd64 \ - cgr.dev/chainguard/zot +--type https://spdx.dev/Document \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ +--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ +cgr.dev/chainguard/zot ``` -And you should get output that verifies the SBOM signature in cosign's transparency log: +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: ``` Verification for cgr.dev/chainguard/zot --