diff --git a/autodocs/changelog.md b/autodocs/changelog.md index d1704dd0af..a3b19c7202 100755 --- a/autodocs/changelog.md +++ b/autodocs/changelog.md @@ -1,3 +1,719 @@ +# 2023-12-06 +New images added: + +- buildkit +- erlang +- temporal-admin-tools + +Updated Docs: + +- apko/provenance_info.md +- apko/tags_history.md +- argo-cli/provenance_info.md +- argo-cli/tags_history.md +- argo-exec/provenance_info.md +- argo-exec/tags_history.md +- argo-workflowcontroller/provenance_info.md +- argo-workflowcontroller/tags_history.md +- argocd/provenance_info.md +- argocd/tags_history.md +- argocd-repo-server/provenance_info.md +- argocd-repo-server/tags_history.md +- aspnet-runtime/provenance_info.md +- aspnet-runtime/tags_history.md +- atlantis/provenance_info.md +- atlantis/tags_history.md +- aws-cli/provenance_info.md +- aws-cli/tags_history.md +- aws-ebs-csi-driver/provenance_info.md +- aws-ebs-csi-driver/tags_history.md +- aws-efs-csi-driver/provenance_info.md +- aws-efs-csi-driver/tags_history.md +- aws-for-fluent-bit/provenance_info.md +- aws-for-fluent-bit/tags_history.md +- aws-load-balancer-controller/provenance_info.md +- aws-load-balancer-controller/tags_history.md +- bank-vaults/provenance_info.md +- bank-vaults/tags_history.md +- bash/provenance_info.md +- bash/tags_history.md +- bazel/provenance_info.md +- bazel/tags_history.md +- boring-registry/provenance_info.md +- boring-registry/tags_history.md +- buck2/provenance_info.md +- buck2/tags_history.md +- busybox/provenance_info.md +- busybox/tags_history.md +- caddy/provenance_info.md +- caddy/tags_history.md +- cadvisor/provenance_info.md +- cadvisor/tags_history.md +- calico-cni/_index.md +- calico-cni/provenance_info.md +- calico-cni/tags_history.md +- calico-csi/_index.md +- calico-csi/provenance_info.md +- calico-csi/tags_history.md +- calico-kube-controllers/_index.md +- calico-kube-controllers/provenance_info.md +- calico-kube-controllers/tags_history.md +- calico-node/_index.md +- calico-node/provenance_info.md +- calico-node/tags_history.md +- calico-node-driver-registrar/_index.md +- calico-node-driver-registrar/provenance_info.md +- calico-node-driver-registrar/tags_history.md +- calico-pod2daemon-flexvol/_index.md +- calico-pod2daemon-flexvol/provenance_info.md +- calico-pod2daemon-flexvol/tags_history.md +- calico-typha/_index.md +- calico-typha/provenance_info.md +- calico-typha/tags_history.md +- calicoctl/_index.md +- calicoctl/provenance_info.md +- calicoctl/tags_history.md +- cassandra/provenance_info.md +- cassandra/tags_history.md +- cc-dynamic/provenance_info.md +- cc-dynamic/tags_history.md +- cedar/provenance_info.md +- cedar/tags_history.md +- cert-manager-acmesolver/provenance_info.md +- cert-manager-acmesolver/tags_history.md +- cert-manager-cainjector/provenance_info.md +- cert-manager-cainjector/tags_history.md +- cert-manager-controller/provenance_info.md +- cert-manager-controller/tags_history.md +- cert-manager-webhook/provenance_info.md +- cert-manager-webhook/tags_history.md +- cfssl/provenance_info.md +- cfssl/tags_history.md +- cilium-agent/provenance_info.md +- cilium-agent/tags_history.md +- cilium-hubble-relay/provenance_info.md +- cilium-hubble-relay/tags_history.md +- cilium-hubble-ui/provenance_info.md +- cilium-hubble-ui/tags_history.md +- cilium-hubble-ui-backend/provenance_info.md +- cilium-hubble-ui-backend/tags_history.md +- cilium-operator-generic/provenance_info.md +- cilium-operator-generic/tags_history.md +- clang/_index.md +- clang/provenance_info.md +- clang/tags_history.md +- cluster-autoscaler/provenance_info.md +- cluster-autoscaler/tags_history.md +- cluster-proportional-autoscaler/provenance_info.md +- cluster-proportional-autoscaler/tags_history.md +- conda/provenance_info.md +- conda/tags_history.md +- configmap-reload/provenance_info.md +- consul/provenance_info.md +- consul/tags_history.md +- coredns/provenance_info.md +- coredns/tags_history.md +- cosign/provenance_info.md +- cosign/tags_history.md +- crane/provenance_info.md +- crane/tags_history.md +- crossplane/provenance_info.md +- crossplane-aws/provenance_info.md +- crossplane-aws/tags_history.md +- crossplane-aws-cloudfront/provenance_info.md +- crossplane-aws-cloudfront/tags_history.md +- crossplane-aws-cloudwatchlogs/provenance_info.md +- crossplane-aws-cloudwatchlogs/tags_history.md +- crossplane-aws-dynamodb/provenance_info.md +- crossplane-aws-dynamodb/tags_history.md +- crossplane-aws-ec2/provenance_info.md +- crossplane-aws-ec2/tags_history.md +- crossplane-aws-eks/provenance_info.md +- crossplane-aws-eks/tags_history.md +- crossplane-aws-firehose/provenance_info.md +- crossplane-aws-firehose/tags_history.md +- crossplane-aws-iam/provenance_info.md +- crossplane-aws-iam/tags_history.md +- crossplane-aws-kms/provenance_info.md +- crossplane-aws-kms/tags_history.md +- crossplane-aws-lambda/provenance_info.md +- crossplane-aws-lambda/tags_history.md +- crossplane-aws-rds/provenance_info.md +- crossplane-aws-rds/tags_history.md +- crossplane-aws-s3/provenance_info.md +- crossplane-aws-s3/tags_history.md +- crossplane-aws-sns/provenance_info.md +- crossplane-aws-sns/tags_history.md +- crossplane-aws-sqs/provenance_info.md +- crossplane-aws-sqs/tags_history.md +- crossplane-azure/provenance_info.md +- crossplane-azure/tags_history.md +- crossplane-azure-authorization/provenance_info.md +- crossplane-azure-authorization/tags_history.md +- crossplane-azure-managedidentity/provenance_info.md +- crossplane-azure-managedidentity/tags_history.md +- crossplane-azure-sql/provenance_info.md +- crossplane-azure-sql/tags_history.md +- crossplane-azure-storage/provenance_info.md +- crossplane-azure-storage/tags_history.md +- crossplane-xfn/provenance_info.md +- crossplane-xfn/tags_history.md +- ctlog-trillian-ctserver/provenance_info.md +- ctlog-trillian-ctserver/tags_history.md +- curl/provenance_info.md +- curl/tags_history.md +- dask-gateway/provenance_info.md +- dask-gateway/tags_history.md +- dask-gateway-server/provenance_info.md +- dask-gateway-server/tags_history.md +- deno/provenance_info.md +- deno/tags_history.md +- dependency-track/provenance_info.md +- dex/provenance_info.md +- dex/tags_history.md +- dive/provenance_info.md +- dive/tags_history.md +- dotnet-runtime/provenance_info.md +- dotnet-runtime/tags_history.md +- dotnet-sdk/provenance_info.md +- dotnet-sdk/tags_history.md +- dynamic-localpv-provisioner/provenance_info.md +- dynamic-localpv-provisioner/tags_history.md +- envoy/provenance_info.md +- envoy/tags_history.md +- envoy-ratelimit/provenance_info.md +- envoy-ratelimit/tags_history.md +- etcd/provenance_info.md +- etcd/tags_history.md +- external-dns/provenance_info.md +- external-dns/tags_history.md +- external-secrets/provenance_info.md +- external-secrets/tags_history.md +- falcoctl/provenance_info.md +- falcoctl/tags_history.md +- ffmpeg/image_specs.md +- ffmpeg/provenance_info.md +- ffmpeg/tags_history.md +- fluent-bit/provenance_info.md +- fluent-bit/tags_history.md +- fluentd/provenance_info.md +- fluentd/tags_history.md +- flux/provenance_info.md +- flux/tags_history.md +- flux-helm-controller/provenance_info.md +- flux-helm-controller/tags_history.md +- flux-image-automation-controller/provenance_info.md +- flux-image-automation-controller/tags_history.md +- flux-image-reflector-controller/provenance_info.md +- flux-image-reflector-controller/tags_history.md +- flux-kustomize-controller/provenance_info.md +- flux-kustomize-controller/tags_history.md +- flux-notification-controller/provenance_info.md +- flux-notification-controller/tags_history.md +- flux-source-controller/provenance_info.md +- flux-source-controller/tags_history.md +- fulcio/provenance_info.md +- fulcio/tags_history.md +- gatekeeper/provenance_info.md +- gatekeeper/tags_history.md +- gcc-glibc/provenance_info.md +- gcc-glibc/tags_history.md +- git/provenance_info.md +- git/tags_history.md +- gitlab-exporter/provenance_info.md +- gitlab-exporter/tags_history.md +- gitlab-kas/provenance_info.md +- gitlab-kas/tags_history.md +- gitlab-pages/provenance_info.md +- gitlab-pages/tags_history.md +- gitlab-shell/provenance_info.md +- gitlab-shell/tags_history.md +- gitness/provenance_info.md +- gitness/tags_history.md +- glibc-dynamic/provenance_info.md +- glibc-dynamic/tags_history.md +- go/provenance_info.md +- go/tags_history.md +- google-cloud-sdk/provenance_info.md +- google-cloud-sdk/tags_history.md +- graalvm-native/provenance_info.md +- graalvm-native/tags_history.md +- gradle/provenance_info.md +- gradle/tags_history.md +- grype/provenance_info.md +- grype/tags_history.md +- guacamole-server/provenance_info.md +- guacamole-server/tags_history.md +- haproxy/provenance_info.md +- haproxy/tags_history.md +- haproxy-ingress/_index.md +- haproxy-ingress/provenance_info.md +- haproxy-ingress/tags_history.md +- helm/_index.md +- helm/provenance_info.md +- helm/tags_history.md +- helm-chartmuseum/provenance_info.md +- helm-chartmuseum/tags_history.md +- http-echo/provenance_info.md +- http-echo/tags_history.md +- hugo/provenance_info.md +- hugo/tags_history.md +- influxdb/provenance_info.md +- influxdb/tags_history.md +- ingress-nginx-controller/provenance_info.md +- ingress-nginx-controller/tags_history.md +- ip-masq-agent/provenance_info.md +- ip-masq-agent/tags_history.md +- istio-install-cni/provenance_info.md +- istio-install-cni/tags_history.md +- istio-operator/provenance_info.md +- istio-operator/tags_history.md +- istio-pilot/provenance_info.md +- istio-pilot/tags_history.md +- istio-proxy/provenance_info.md +- istio-proxy/tags_history.md +- jdk/provenance_info.md +- jdk/tags_history.md +- jdk-lts/provenance_info.md +- jdk-lts/tags_history.md +- jenkins/provenance_info.md +- jenkins/tags_history.md +- jre/provenance_info.md +- jre/tags_history.md +- jre-lts/provenance_info.md +- jre-lts/tags_history.md +- k3s/provenance_info.md +- k3s/tags_history.md +- k3s-allinone/provenance_info.md +- k3s-allinone/tags_history.md +- k8s-sidecar/provenance_info.md +- k8s-sidecar/tags_history.md +- k8sgpt/provenance_info.md +- k8sgpt/tags_history.md +- k8sgpt-operator/provenance_info.md +- k8sgpt-operator/tags_history.md +- kafka/provenance_info.md +- kafka/tags_history.md +- karpenter/provenance_info.md +- karpenter/tags_history.md +- keda/provenance_info.md +- keda/tags_history.md +- keda-adapter/provenance_info.md +- keda-adapter/tags_history.md +- keda-admission-webhooks/provenance_info.md +- keda-admission-webhooks/tags_history.md +- keycloak/provenance_info.md +- keycloak/tags_history.md +- ko/provenance_info.md +- ko/tags_history.md +- kor/provenance_info.md +- kor/tags_history.md +- kube-bench/provenance_info.md +- kube-bench/tags_history.md +- kube-downscaler/provenance_info.md +- kube-downscaler/tags_history.md +- kube-fluentd-operator/provenance_info.md +- kube-fluentd-operator/tags_history.md +- kube-logging-operator/provenance_info.md +- kube-logging-operator/tags_history.md +- kube-logging-operator-fluentd/provenance_info.md +- kube-logging-operator-fluentd/tags_history.md +- kube-state-metrics/provenance_info.md +- kube-state-metrics/tags_history.md +- kubectl/image_specs.md +- kubectl/provenance_info.md +- kubectl/tags_history.md +- kubeflow-jupyter-web-app/provenance_info.md +- kubeflow-jupyter-web-app/tags_history.md +- kubeflow-katib-controller/provenance_info.md +- kubeflow-katib-controller/tags_history.md +- kubeflow-katib-db-manager/provenance_info.md +- kubeflow-katib-db-manager/tags_history.md +- kubeflow-katib-earlystopping-medianstop/provenance_info.md +- kubeflow-katib-earlystopping-medianstop/tags_history.md +- kubeflow-katib-file-metrics-collector/provenance_info.md +- kubeflow-katib-file-metrics-collector/tags_history.md +- kubeflow-katib-suggestion-darts/provenance_info.md +- kubeflow-katib-suggestion-darts/tags_history.md +- kubeflow-katib-suggestion-goptuna/provenance_info.md +- kubeflow-katib-suggestion-goptuna/tags_history.md +- kubeflow-katib-suggestion-hyperband/provenance_info.md +- kubeflow-katib-suggestion-hyperband/tags_history.md +- kubeflow-katib-suggestion-hyperopt/provenance_info.md +- kubeflow-katib-suggestion-hyperopt/tags_history.md +- kubeflow-katib-suggestion-optuna/provenance_info.md +- kubeflow-katib-suggestion-optuna/tags_history.md +- kubeflow-katib-suggestion-pbt/provenance_info.md +- kubeflow-katib-suggestion-pbt/tags_history.md +- kubeflow-katib-suggestion-skopt/provenance_info.md +- kubeflow-katib-suggestion-skopt/tags_history.md +- kubeflow-pipelines-api-server/provenance_info.md +- kubeflow-pipelines-api-server/tags_history.md +- kubeflow-pipelines-cache-deployer/provenance_info.md +- kubeflow-pipelines-cache-deployer/tags_history.md +- kubeflow-pipelines-cache-server/provenance_info.md +- kubeflow-pipelines-cache-server/tags_history.md +- kubeflow-pipelines-frontend/provenance_info.md +- kubeflow-pipelines-frontend/tags_history.md +- kubeflow-pipelines-metadata-writer/provenance_info.md +- kubeflow-pipelines-metadata-writer/tags_history.md +- kubeflow-pipelines-persistenceagent/provenance_info.md +- kubeflow-pipelines-persistenceagent/tags_history.md +- kubeflow-pipelines-scheduledworkflow/provenance_info.md +- kubeflow-pipelines-scheduledworkflow/tags_history.md +- kubeflow-pipelines-viewer-crd-controller/provenance_info.md +- kubeflow-pipelines-viewer-crd-controller/tags_history.md +- kubeflow-volumes-web-app/provenance_info.md +- kubeflow-volumes-web-app/tags_history.md +- kubernetes-csi-external-attacher/provenance_info.md +- kubernetes-csi-external-attacher/tags_history.md +- kubernetes-csi-external-provisioner/provenance_info.md +- kubernetes-csi-external-provisioner/tags_history.md +- kubernetes-csi-external-resizer/provenance_info.md +- kubernetes-csi-external-resizer/tags_history.md +- kubernetes-csi-external-snapshot-controller/provenance_info.md +- kubernetes-csi-external-snapshot-controller/tags_history.md +- kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md +- kubernetes-csi-external-snapshot-validation-webhook/tags_history.md +- kubernetes-csi-external-snapshotter/provenance_info.md +- kubernetes-csi-external-snapshotter/tags_history.md +- kubernetes-csi-livenessprobe/provenance_info.md +- kubernetes-csi-livenessprobe/tags_history.md +- kubernetes-csi-node-driver-registrar/provenance_info.md +- kubernetes-csi-node-driver-registrar/tags_history.md +- kubernetes-dashboard/provenance_info.md +- kubernetes-dashboard/tags_history.md +- kubernetes-dns-node-cache/provenance_info.md +- kubernetes-dns-node-cache/tags_history.md +- kubernetes-event-exporter/provenance_info.md +- kubernetes-event-exporter/tags_history.md +- kubernetes-ingress-defaultbackend/provenance_info.md +- kubernetes-ingress-defaultbackend/tags_history.md +- kubewatch/provenance_info.md +- kubewatch/tags_history.md +- kyverno/provenance_info.md +- kyverno/tags_history.md +- kyverno-background-controller/provenance_info.md +- kyverno-background-controller/tags_history.md +- kyverno-cleanup-controller/provenance_info.md +- kyverno-cleanup-controller/tags_history.md +- kyverno-cli/provenance_info.md +- kyverno-cli/tags_history.md +- kyverno-policy-reporter/provenance_info.md +- kyverno-policy-reporter/tags_history.md +- kyverno-policy-reporter-plugin/provenance_info.md +- kyverno-policy-reporter-plugin/tags_history.md +- kyverno-policy-reporter-reporter/provenance_info.md +- kyverno-policy-reporter-reporter/tags_history.md +- kyverno-policy-reporter-ui/provenance_info.md +- kyverno-policy-reporter-ui/tags_history.md +- kyverno-reports-controller/provenance_info.md +- kyverno-reports-controller/tags_history.md +- loki/provenance_info.md +- loki/tags_history.md +- mariadb/provenance_info.md +- mariadb/tags_history.md +- maven/provenance_info.md +- maven/tags_history.md +- mdbook/provenance_info.md +- mdbook/tags_history.md +- meilisearch/provenance_info.md +- meilisearch/tags_history.md +- melange/provenance_info.md +- melange/tags_history.md +- memcached/provenance_info.md +- memcached/tags_history.md +- memcached-exporter/provenance_info.md +- memcached-exporter/tags_history.md +- memcached-exporter-bitnami/provenance_info.md +- memcached-exporter-bitnami/tags_history.md +- metacontroller/provenance_info.md +- metacontroller/tags_history.md +- metrics-server/provenance_info.md +- metrics-server/tags_history.md +- minio/image_specs.md +- minio/provenance_info.md +- minio/tags_history.md +- minio-client/provenance_info.md +- minio-client/tags_history.md +- nats/provenance_info.md +- nats/tags_history.md +- netcat/provenance_info.md +- netcat/tags_history.md +- newrelic-fluent-bit-output/_index.md +- newrelic-fluent-bit-output/provenance_info.md +- newrelic-fluent-bit-output/tags_history.md +- newrelic-infrastructure-bundle/_index.md +- newrelic-infrastructure-bundle/image_specs.md +- newrelic-infrastructure-bundle/provenance_info.md +- newrelic-infrastructure-bundle/tags_history.md +- newrelic-k8s-events-forwarder/_index.md +- newrelic-k8s-events-forwarder/provenance_info.md +- newrelic-k8s-events-forwarder/tags_history.md +- newrelic-kube-events/_index.md +- newrelic-kube-events/provenance_info.md +- newrelic-kube-events/tags_history.md +- newrelic-kubernetes/_index.md +- newrelic-kubernetes/provenance_info.md +- newrelic-kubernetes/tags_history.md +- newrelic-prometheus/_index.md +- newrelic-prometheus/provenance_info.md +- newrelic-prometheus/tags_history.md +- newrelic-prometheus-configurator/_index.md +- newrelic-prometheus-configurator/provenance_info.md +- newrelic-prometheus-configurator/tags_history.md +- nfs-subdir-external-provisioner/provenance_info.md +- nfs-subdir-external-provisioner/tags_history.md +- nginx/provenance_info.md +- nginx/tags_history.md +- node/provenance_info.md +- node/tags_history.md +- node-lts/provenance_info.md +- node-lts/tags_history.md +- node-problem-detector/provenance_info.md +- node-problem-detector/tags_history.md +- nodetaint/provenance_info.md +- nodetaint/tags_history.md +- ntia-conformance-checker/provenance_info.md +- ntia-conformance-checker/tags_history.md +- ntpd-rs/provenance_info.md +- ntpd-rs/tags_history.md +- nvidia-device-plugin/provenance_info.md +- nvidia-device-plugin/tags_history.md +- oauth2-proxy/provenance_info.md +- oauth2-proxy/tags_history.md +- openai/provenance_info.md +- openai/tags_history.md +- opensearch/provenance_info.md +- opensearch/tags_history.md +- opentelemetry-collector-contrib/provenance_info.md +- opentelemetry-collector-contrib/tags_history.md +- opentofu/provenance_info.md +- opentofu/tags_history.md +- paranoia/provenance_info.md +- paranoia/tags_history.md +- pgbouncer/provenance_info.md +- pgbouncer/tags_history.md +- php/provenance_info.md +- php/tags_history.md +- postgres/provenance_info.md +- postgres/tags_history.md +- powershell/provenance_info.md +- powershell/tags_history.md +- prometheus/provenance_info.md +- prometheus/tags_history.md +- prometheus-adapter/provenance_info.md +- prometheus-adapter/tags_history.md +- prometheus-alertmanager/provenance_info.md +- prometheus-alertmanager/tags_history.md +- prometheus-cloudwatch-exporter/provenance_info.md +- prometheus-cloudwatch-exporter/tags_history.md +- prometheus-config-reloader/provenance_info.md +- prometheus-config-reloader/tags_history.md +- prometheus-elasticsearch-exporter/provenance_info.md +- prometheus-elasticsearch-exporter/tags_history.md +- prometheus-mongodb-exporter/provenance_info.md +- prometheus-mongodb-exporter/tags_history.md +- prometheus-mysqld-exporter/provenance_info.md +- prometheus-mysqld-exporter/tags_history.md +- prometheus-node-exporter/provenance_info.md +- prometheus-node-exporter/tags_history.md +- prometheus-operator/provenance_info.md +- prometheus-operator/tags_history.md +- prometheus-postgres-exporter/provenance_info.md +- prometheus-postgres-exporter/tags_history.md +- prometheus-pushgateway/provenance_info.md +- prometheus-pushgateway/tags_history.md +- prometheus-pushgateway-bitnami/provenance_info.md +- prometheus-pushgateway-bitnami/tags_history.md +- prometheus-redis-exporter/provenance_info.md +- prometheus-redis-exporter/tags_history.md +- prometheus-statsd-exporter/provenance_info.md +- prometheus-statsd-exporter/tags_history.md +- promtail/provenance_info.md +- promtail/tags_history.md +- proxysql/provenance_info.md +- proxysql/tags_history.md +- pulumi/provenance_info.md +- pulumi/tags_history.md +- python/provenance_info.md +- python/tags_history.md +- qdrant/provenance_info.md +- qdrant/tags_history.md +- r-base/provenance_info.md +- r-base/tags_history.md +- rabbitmq/provenance_info.md +- rabbitmq/tags_history.md +- rabbitmq-cluster-operator/provenance_info.md +- rabbitmq-cluster-operator/tags_history.md +- rabbitmq-messaging-topology-operator/provenance_info.md +- rabbitmq-messaging-topology-operator/tags_history.md +- redis/provenance_info.md +- redis/tags_history.md +- redis-cluster-bitnami/provenance_info.md +- redis-cluster-bitnami/tags_history.md +- redis-sentinel/provenance_info.md +- redis-sentinel/tags_history.md +- redis-sentinel-bitnami/provenance_info.md +- redis-sentinel-bitnami/tags_history.md +- redis-server-bitnami/provenance_info.md +- redis-server-bitnami/tags_history.md +- rekor-backfill-redis/provenance_info.md +- rekor-backfill-redis/tags_history.md +- rekor-cli/provenance_info.md +- rekor-cli/tags_history.md +- rekor-server/provenance_info.md +- rekor-server/tags_history.md +- rqlite/provenance_info.md +- rqlite/tags_history.md +- ruby/provenance_info.md +- ruby/tags_history.md +- rust/provenance_info.md +- rust/tags_history.md +- secrets-store-csi-driver/provenance_info.md +- secrets-store-csi-driver/tags_history.md +- secrets-store-csi-driver-provider-gcp/provenance_info.md +- secrets-store-csi-driver-provider-gcp/tags_history.md +- semgrep/provenance_info.md +- semgrep/tags_history.md +- sigstore-policy-controller/provenance_info.md +- sigstore-policy-controller/tags_history.md +- sigstore-scaffolding-cloudsqlproxy/provenance_info.md +- sigstore-scaffolding-cloudsqlproxy/tags_history.md +- sigstore-scaffolding-ctlog-createctconfig/provenance_info.md +- sigstore-scaffolding-ctlog-createctconfig/tags_history.md +- sigstore-scaffolding-ctlog-managectroots/provenance_info.md +- sigstore-scaffolding-ctlog-managectroots/tags_history.md +- sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md +- sigstore-scaffolding-ctlog-verifyfulcio/tags_history.md +- sigstore-scaffolding-fulcio-createcerts/provenance_info.md +- sigstore-scaffolding-fulcio-createcerts/tags_history.md +- sigstore-scaffolding-getoidctoken/provenance_info.md +- sigstore-scaffolding-getoidctoken/tags_history.md +- sigstore-scaffolding-rekor-createsecret/provenance_info.md +- sigstore-scaffolding-rekor-createsecret/tags_history.md +- sigstore-scaffolding-trillian-createdb/provenance_info.md +- sigstore-scaffolding-trillian-createdb/tags_history.md +- sigstore-scaffolding-trillian-createtree/provenance_info.md +- sigstore-scaffolding-trillian-createtree/tags_history.md +- sigstore-scaffolding-trillian-updatetree/provenance_info.md +- sigstore-scaffolding-trillian-updatetree/tags_history.md +- sigstore-scaffolding-tsa-createcertchain/provenance_info.md +- sigstore-scaffolding-tsa-createcertchain/tags_history.md +- sigstore-scaffolding-tuf-createsecret/provenance_info.md +- sigstore-scaffolding-tuf-createsecret/tags_history.md +- sigstore-scaffolding-tuf-server/provenance_info.md +- sigstore-scaffolding-tuf-server/tags_history.md +- skaffold/provenance_info.md +- skaffold/tags_history.md +- slim-toolkit-debug/provenance_info.md +- slim-toolkit-debug/tags_history.md +- smarter-device-manager/provenance_info.md +- smarter-device-manager/tags_history.md +- solr/provenance_info.md +- solr/tags_history.md +- spark-operator/provenance_info.md +- spark-operator/tags_history.md +- spire-agent/provenance_info.md +- spire-agent/tags_history.md +- spire-oidc-discovery-provider/provenance_info.md +- spire-oidc-discovery-provider/tags_history.md +- spire-server/provenance_info.md +- spire-server/tags_history.md +- stakater-reloader/provenance_info.md +- stakater-reloader/tags_history.md +- static/provenance_info.md +- static/tags_history.md +- stunnel/provenance_info.md +- stunnel/tags_history.md +- tekton-chains/provenance_info.md +- tekton-chains/tags_history.md +- tekton-cli/provenance_info.md +- tekton-cli/tags_history.md +- tekton-controller/provenance_info.md +- tekton-controller/tags_history.md +- tekton-entrypoint/provenance_info.md +- tekton-entrypoint/tags_history.md +- tekton-events/provenance_info.md +- tekton-events/tags_history.md +- tekton-nop/provenance_info.md +- tekton-nop/tags_history.md +- tekton-resolvers/provenance_info.md +- tekton-resolvers/tags_history.md +- tekton-sidecarlogresults/provenance_info.md +- tekton-sidecarlogresults/tags_history.md +- tekton-webhook/provenance_info.md +- tekton-webhook/tags_history.md +- tekton-workingdirinit/provenance_info.md +- tekton-workingdirinit/tags_history.md +- telegraf/provenance_info.md +- telegraf/tags_history.md +- temporal-ui-server/provenance_info.md +- temporal-ui-server/tags_history.md +- terraform/provenance_info.md +- terraform/tags_history.md +- thanos/provenance_info.md +- thanos/tags_history.md +- thanos-operator/provenance_info.md +- thanos-operator/tags_history.md +- tigera-operator/provenance_info.md +- tigera-operator/tags_history.md +- timestamp-authority-cli/provenance_info.md +- timestamp-authority-cli/tags_history.md +- timestamp-authority-server/provenance_info.md +- timestamp-authority-server/tags_history.md +- timoni/provenance_info.md +- timoni/tags_history.md +- tomcat/provenance_info.md +- tomcat/tags_history.md +- traefik/provenance_info.md +- traefik/tags_history.md +- trillian-logserver/provenance_info.md +- trillian-logserver/tags_history.md +- trillian-logsigner/provenance_info.md +- trillian-logsigner/tags_history.md +- trino/provenance_info.md +- trino/tags_history.md +- trust-manager/provenance_info.md +- trust-manager/tags_history.md +- vault/provenance_info.md +- vault/tags_history.md +- vault-k8s/provenance_info.md +- vault-k8s/tags_history.md +- vector/provenance_info.md +- vector/tags_history.md +- vela-cli/provenance_info.md +- vela-cli/tags_history.md +- vertical-pod-autoscaler-admission-controller/provenance_info.md +- vertical-pod-autoscaler-admission-controller/tags_history.md +- vertical-pod-autoscaler-recommender/provenance_info.md +- vertical-pod-autoscaler-recommender/tags_history.md +- vertical-pod-autoscaler-updater/provenance_info.md +- vertical-pod-autoscaler-updater/tags_history.md +- vt/provenance_info.md +- vt/tags_history.md +- wait-for-it/provenance_info.md +- wait-for-it/tags_history.md +- wasmer/provenance_info.md +- wasmer/tags_history.md +- wasmtime/provenance_info.md +- wasmtime/tags_history.md +- wavefront-proxy/provenance_info.md +- wavefront-proxy/tags_history.md +- wazero/provenance_info.md +- wazero/tags_history.md +- weaviate/provenance_info.md +- weaviate/tags_history.md +- wolfi-base/provenance_info.md +- wolfi-base/tags_history.md +- zig/provenance_info.md +- zig/tags_history.md +- zookeeper/image_specs.md +- zookeeper/provenance_info.md +- zookeeper/tags_history.md +- zot/provenance_info.md +- zot/tags_history.md + # 2023-11-30 New images added: diff --git a/content/chainguard/chainguard-images/reference/apko/provenance_info.md b/content/chainguard/chainguard-images/reference/apko/provenance_info.md index d9cad39113..a4ac7df74b 100644 --- a/content/chainguard/chainguard-images/reference/apko/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/apko/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for apko Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **apko** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/apko | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/apko | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the apko im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the apko image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the apko image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/apko + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/apko ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/apko/tags_history.md b/content/chainguard/chainguard-images/reference/apko/tags_history.md index 160bc2be88..962177738e 100644 --- a/content/chainguard/chainguard-images/reference/apko/tags_history.md +++ b/content/chainguard/chainguard-images/reference/apko/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the apko Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:73543bc03f2eec6ea5d0e17e56c31d1061462f1e5019b143c5baf7af9c3aeea9` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:d1649e08df1fab6d8be90efbeba13a9bfcb4339f3fe875f3c307043d54b5b022` | diff --git a/content/chainguard/chainguard-images/reference/argo-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/argo-cli/provenance_info.md index d73502844d..b0ca9ded1b 100644 --- a/content/chainguard/chainguard-images/reference/argo-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argo-cli/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for argo-cli Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **argo-cli** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/argo-cli | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argo-cli | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the argo-cl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argo-cli image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argo-cli image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/argo-cli + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argo-cli ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/argo-cli/tags_history.md b/content/chainguard/chainguard-images/reference/argo-cli/tags_history.md index 05096d1e05..903fab1efd 100644 --- a/content/chainguard/chainguard-images/reference/argo-cli/tags_history.md +++ b/content/chainguard/chainguard-images/reference/argo-cli/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the argo-cli Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:e2f43a8fe70a51d9e9d47ec24638186bde2d88bc13b38f8104668c984ce89afa` | -| `latest` | November 29th | `sha256:563aede73866dfeff925119384b4a28af06f4170c1e2fcad53834238839eaca7` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:4d77877f2413ae33757c32809f883a514689b7f0d7add47f7362dca066a5721b` | +| `latest` | December 6th | `sha256:473579517a37bd1aa0a1c16afc70804f5f64014e60f672d3565e5d104cf60996` | diff --git a/content/chainguard/chainguard-images/reference/argo-exec/provenance_info.md b/content/chainguard/chainguard-images/reference/argo-exec/provenance_info.md index 3c00f66e54..758fb4a29d 100644 --- a/content/chainguard/chainguard-images/reference/argo-exec/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argo-exec/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for argo-exec Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **argo-exec** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/argo-exec | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argo-exec | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the argo-ex | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argo-exec image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argo-exec image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/argo-exec + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argo-exec ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/argo-exec/tags_history.md b/content/chainguard/chainguard-images/reference/argo-exec/tags_history.md index 298c01bf58..d0c87a9f3a 100644 --- a/content/chainguard/chainguard-images/reference/argo-exec/tags_history.md +++ b/content/chainguard/chainguard-images/reference/argo-exec/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the argo-exec Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:00c4b10150b798965e81fabac966fa8a7f0febdd24373717b377449f54588c54` | -| `latest` | November 29th | `sha256:5bc10fb311feade606218f640aa361b7f023653a6909943eed7c2fe90db8fba6` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:d526c01db522605789ae2f76ddff0a70e1aea3a390e40fb88e5839e9632274c0` | +| `latest` | December 6th | `sha256:f9d5d64a83e3be65b41afdc732ae55401131978b414861225442f53f241cd675` | diff --git a/content/chainguard/chainguard-images/reference/argo-workflowcontroller/provenance_info.md b/content/chainguard/chainguard-images/reference/argo-workflowcontroller/provenance_info.md index 36c67ab4ae..1cd12289c2 100644 --- a/content/chainguard/chainguard-images/reference/argo-workflowcontroller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argo-workflowcontroller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for argo-workflowcontroller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **argo-workflowcontroller** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/argo-workflowcontroller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argo-workflowcontroller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the argo-wo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argo-workflowcontroller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argo-workflowcontroller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/argo-workflowcontroller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argo-workflowcontroller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/argo-workflowcontroller/tags_history.md b/content/chainguard/chainguard-images/reference/argo-workflowcontroller/tags_history.md index 0ca0d5fc06..9c698c2fec 100644 --- a/content/chainguard/chainguard-images/reference/argo-workflowcontroller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/argo-workflowcontroller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the argo-workflowcontroller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:4cadfd9e6bc96f239f351c549c7fa3d45a18a0445eee1c34dc55ecdb79ade0e4` | -| `latest` | November 29th | `sha256:8fbad2d58cd6ff221ad4b89e58f65606aa2d488a910d06ca4a48140a79fd3bfb` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:21e819e007fed87b2503e727cc3d2113400d70f7fe23370e470850bde9753365` | +| `latest-dev` | December 6th | `sha256:d2e683c38a268e8e07a17de0eab5bfbf2762b46b45015544ad7094a3c97cb55e` | diff --git a/content/chainguard/chainguard-images/reference/argocd-repo-server/provenance_info.md b/content/chainguard/chainguard-images/reference/argocd-repo-server/provenance_info.md index b812809578..d8833c429a 100644 --- a/content/chainguard/chainguard-images/reference/argocd-repo-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argocd-repo-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for argocd-repo-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **argocd-repo-server** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/argocd-repo-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argocd-repo-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the argocd- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argocd-repo-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argocd-repo-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/argocd-repo-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argocd-repo-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/argocd-repo-server/tags_history.md b/content/chainguard/chainguard-images/reference/argocd-repo-server/tags_history.md index 6c77a33bd5..8c68c65c99 100644 --- a/content/chainguard/chainguard-images/reference/argocd-repo-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/argocd-repo-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the argocd-repo-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:d6f1695b43faa5b82701db4c46134c74990d1b565cff29950e9b9d0176973d2e` | -| `latest` | November 29th | `sha256:2062274bbb6d9074dd3ec56179ebbd71537957d1aa46dea33ff6d30b037b834c` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:e06d0bedf628e36d339200f2dfd15ab853f52d2232a16c67fd81f73175f56b53` | +| `latest` | December 6th | `sha256:946d3b80cf8a1a32eb29f23a5d81d63e64b619017b87f795873ab7ab306ded6c` | diff --git a/content/chainguard/chainguard-images/reference/argocd/provenance_info.md b/content/chainguard/chainguard-images/reference/argocd/provenance_info.md index e06e7291c2..72c755f0fd 100644 --- a/content/chainguard/chainguard-images/reference/argocd/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/argocd/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for argocd Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **argocd** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/argocd | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argocd | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the argocd | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argocd image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the argocd image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/argocd + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/argocd ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/argocd/tags_history.md b/content/chainguard/chainguard-images/reference/argocd/tags_history.md index ac1e603407..dc20620195 100644 --- a/content/chainguard/chainguard-images/reference/argocd/tags_history.md +++ b/content/chainguard/chainguard-images/reference/argocd/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the argocd Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:a3835c297d61e698bc18da734f60ff61aa9f378162640b006288d8d3351b9f78` | -| `latest` | November 29th | `sha256:0b14a3f26100365fa569c1f366fec66279351a84ae06b0796f922e44ff45037e` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:bb6ad20bbb9c34b34d6a6f16e54dbaab165bdf36f99ea525d31e1988e3e52979` | +| `latest-dev` | December 6th | `sha256:5d9c12a9cfbcf66dba66fe62a1b8127be4d1973c070cde361ee6d0cfdc215e19` | diff --git a/content/chainguard/chainguard-images/reference/aspnet-runtime/provenance_info.md b/content/chainguard/chainguard-images/reference/aspnet-runtime/provenance_info.md index efa0dcf600..edd3305d8e 100644 --- a/content/chainguard/chainguard-images/reference/aspnet-runtime/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aspnet-runtime/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for aspnet-runtime Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **aspnet-runtime** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/aspnet-runtime | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aspnet-runtime | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the aspnet- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aspnet-runtime image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aspnet-runtime image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/aspnet-runtime + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aspnet-runtime ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/aspnet-runtime/tags_history.md b/content/chainguard/chainguard-images/reference/aspnet-runtime/tags_history.md index 868a933643..6d3406817b 100644 --- a/content/chainguard/chainguard-images/reference/aspnet-runtime/tags_history.md +++ b/content/chainguard/chainguard-images/reference/aspnet-runtime/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the aspnet-runtime Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d6a7d3c5edf45ca84cb768c03ef2a86ea69a3804e8e1dc1a4c39a8058e9c1c95` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:4f9bfc13a0e559877bc22f0b4069e1c25a1d11c8f588f4f9e41d4766c60ed315` | diff --git a/content/chainguard/chainguard-images/reference/atlantis/provenance_info.md b/content/chainguard/chainguard-images/reference/atlantis/provenance_info.md index 689d583b7e..f7467221d4 100644 --- a/content/chainguard/chainguard-images/reference/atlantis/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/atlantis/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for atlantis Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **atlantis** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/atlantis | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/atlantis | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the atlanti | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the atlantis image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the atlantis image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/atlantis + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/atlantis ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/atlantis/tags_history.md b/content/chainguard/chainguard-images/reference/atlantis/tags_history.md index 1464d1371c..347b5e8e0a 100644 --- a/content/chainguard/chainguard-images/reference/atlantis/tags_history.md +++ b/content/chainguard/chainguard-images/reference/atlantis/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the atlantis Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:aeb23793ef57c94e0aee9e0d0655e99557ccc16924567192af8ba0a48be40358` | -| `latest` | November 29th | `sha256:4d5aa0d3fcbcca1c7853d0d7b9be11ce29d43fc6bb42c87e72f7f8a58486da99` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:93f7c3dc17aae7e31fbf89945c3ba7500a9ffcc6d06fe4587fbe2c7752736ac3` | +| `latest-dev` | December 6th | `sha256:e94bca2fd4f95d1d1ce7cff3e8311f0b6e3818afc8820fb0dd99a4dfb6778517` | diff --git a/content/chainguard/chainguard-images/reference/aws-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-cli/provenance_info.md index 455c34c914..6508f6c81e 100644 --- a/content/chainguard/chainguard-images/reference/aws-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-cli/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for aws-cli Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **aws-cli** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/aws-cli | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-cli | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the aws-cli | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-cli image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-cli image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/aws-cli + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-cli ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/aws-cli/tags_history.md b/content/chainguard/chainguard-images/reference/aws-cli/tags_history.md index 8a2036b3a2..da141d02c0 100644 --- a/content/chainguard/chainguard-images/reference/aws-cli/tags_history.md +++ b/content/chainguard/chainguard-images/reference/aws-cli/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the aws-cli Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:3044ca267395b530ca6f322272396af3e77a54cb2ebecefeeed0374a899ff846` | -| `latest` | November 29th | `sha256:8a7f1285f9819259a26ff474a59c701aa8fa05c664758abe6d6aa4674ed0ae82` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:8a2b6928ef995aade9356d7044999fee4443180e93cadb732b0312f13fcce5fc` | +| `latest` | December 6th | `sha256:8027520078e98e17243e371b9b30c683a163fc726bb46b34faf145a5400eed32` | diff --git a/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/provenance_info.md index b08783c95e..973e4ef28e 100644 --- a/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for aws-ebs-csi-driver Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **aws-ebs-csi-driver** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/aws-ebs-csi-driver | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-ebs-csi-driver | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the aws-ebs | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-ebs-csi-driver image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-ebs-csi-driver image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/aws-ebs-csi-driver + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-ebs-csi-driver ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/tags_history.md b/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/tags_history.md index d297f90418..772a587073 100644 --- a/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/tags_history.md +++ b/content/chainguard/chainguard-images/reference/aws-ebs-csi-driver/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the aws-ebs-csi-driver Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:5f70bf37f9f5b36aa1db13ec682b50858008961ecbdfcf4a5ddb7bd759b3aad5` | -| `latest-dev` | November 29th | `sha256:df81e4bae3680ed89c195d38d13fbb0588b4bc65c9ec6d881dacc709c80912ca` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:44bfa973d15eb78b92fd181ab1f90adf075e783a93fb059ca9f9bd3c64484b25` | +| `latest-dev` | December 6th | `sha256:16e6864b1a39db2e38cc22eee91b30ba797fb06e2ab83624b3f6358d4f05a660` | diff --git a/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/provenance_info.md index 9531183610..3a695ca96f 100644 --- a/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for aws-efs-csi-driver Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **aws-efs-csi-driver** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/aws-efs-csi-driver | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-efs-csi-driver | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the aws-efs | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-efs-csi-driver image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-efs-csi-driver image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/aws-efs-csi-driver + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-efs-csi-driver ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/tags_history.md b/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/tags_history.md index a171e7d014..2cb0d52123 100644 --- a/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/tags_history.md +++ b/content/chainguard/chainguard-images/reference/aws-efs-csi-driver/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the aws-efs-csi-driver Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:bd46c4e7467aaa9e3c46db72a529dbf7e90f3bff585a7d36afb5a46815bf5ad8` | -| `latest-dev` | November 29th | `sha256:6dc745e56ecff90ffed02cbe260dcf34045c65ad85ec5c045c1090b384175768` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:05912d2619b05a55b7257029ee7df37ea8fcf71558acd80b81413c105b6c6645` | +| `latest` | December 6th | `sha256:e80bc77952da97d19817512afb68187f28f5cfbae05e80addec62464802b7030` | diff --git a/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/provenance_info.md index 81aa4c39c0..e30e81ca2b 100644 --- a/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for aws-for-fluent-bit Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **aws-for-fluent-bit** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/aws-for-fluent-bit | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-for-fluent-bit | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the aws-for | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-for-fluent-bit image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-for-fluent-bit image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/aws-for-fluent-bit + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-for-fluent-bit ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/tags_history.md b/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/tags_history.md index 5d41311cab..8ed4a1a89d 100644 --- a/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/tags_history.md +++ b/content/chainguard/chainguard-images/reference/aws-for-fluent-bit/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the aws-for-fluent-bit Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:a5c70c62827833544fad6b7271bf9f8c0113e173d504312946a2fcca194282ae` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:b71df9e46d33d457693e324f2e9721e04d9978516e7af495e4b71ecce1b5b1bf` | diff --git a/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/provenance_info.md index a19c009e9d..ef5ba51872 100644 --- a/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for aws-load-balancer-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **aws-load-balancer-controller** Chainguard Images are signed using Sigstore The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/aws-load-balancer-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-load-balancer-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the aws-loa | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-load-balancer-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the aws-load-balancer-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/aws-load-balancer-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/aws-load-balancer-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/tags_history.md b/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/tags_history.md index 2fc99c2a7e..a06e02518a 100644 --- a/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/aws-load-balancer-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the aws-load-balancer-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:b403d0ce840b032111d013c53ccee27bbe34af450e4f01eff18ca102cfa151bb` | -| `latest` | November 29th | `sha256:980a6bc5805604cb5b2ac80a5d14d5f199ba52c75556e078c1a9f6da3dfc24aa` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:6f8d47513d4646cb2e22d3dac63d1f34072a8f1a983e894283a9331d99b4d9e0` | +| `latest-dev` | December 6th | `sha256:f649e596f87299559b1960ff217e2c24ca77415c381852130d9088390a920d15` | diff --git a/content/chainguard/chainguard-images/reference/bank-vaults/provenance_info.md b/content/chainguard/chainguard-images/reference/bank-vaults/provenance_info.md index 74c8ee5c68..b45e4b0ece 100644 --- a/content/chainguard/chainguard-images/reference/bank-vaults/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/bank-vaults/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for bank-vaults Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **bank-vaults** Chainguard Images are signed using Sigstore, and you can che The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/bank-vaults | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/bank-vaults | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the bank-va | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the bank-vaults image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the bank-vaults image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/bank-vaults + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/bank-vaults ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/bank-vaults/tags_history.md b/content/chainguard/chainguard-images/reference/bank-vaults/tags_history.md index 7295478df6..e847373673 100644 --- a/content/chainguard/chainguard-images/reference/bank-vaults/tags_history.md +++ b/content/chainguard/chainguard-images/reference/bank-vaults/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the bank-vaults Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:51c44ed01bc3baa69e60536680eedbe9c94cc555041bef59c3f64540994e26a0` | -| `latest-dev` | November 29th | `sha256:98a9f13ad71aa7d7267dbf3b290a215d3e173b58a36fa0549813f1d18d5f1350` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:fd4d9002991ba18b0f7cb3a3a012e92435a6b0a5fbf4eaf9bace1f0364b4347d` | +| `latest` | December 6th | `sha256:b30ab4b007d0f4cbf7ffcc36227129f1e29f5a0406493330c0b81615fa60d233` | diff --git a/content/chainguard/chainguard-images/reference/bash/provenance_info.md b/content/chainguard/chainguard-images/reference/bash/provenance_info.md index d1d81a2ee0..87c5686a78 100644 --- a/content/chainguard/chainguard-images/reference/bash/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/bash/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for bash Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **bash** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/bash | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/bash | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the bash im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the bash image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the bash image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/bash + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/bash ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/bash/tags_history.md b/content/chainguard/chainguard-images/reference/bash/tags_history.md index deafa1249e..bdb26608ca 100644 --- a/content/chainguard/chainguard-images/reference/bash/tags_history.md +++ b/content/chainguard/chainguard-images/reference/bash/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the bash Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:29f6fcae1a360a3028bb2b21b47df332f88ede7561aebfca352ca621439b55ff` | diff --git a/content/chainguard/chainguard-images/reference/bazel/provenance_info.md b/content/chainguard/chainguard-images/reference/bazel/provenance_info.md index 9c789b908a..99ade29f61 100644 --- a/content/chainguard/chainguard-images/reference/bazel/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/bazel/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for bazel Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **bazel** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/bazel | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/bazel | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the bazel i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the bazel image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the bazel image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/bazel + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/bazel ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/bazel/tags_history.md b/content/chainguard/chainguard-images/reference/bazel/tags_history.md index ddeaea77ce..a58711d0b5 100644 --- a/content/chainguard/chainguard-images/reference/bazel/tags_history.md +++ b/content/chainguard/chainguard-images/reference/bazel/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the bazel Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:98d42317269fb78fdfc1a095db04011f879d0496b8001a5439225e6af266e4a7` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:b8758e94842a5711a78c45bf49057a25f5f4912c98b7f6c6fc888e8c5c4ab2de` | diff --git a/content/chainguard/chainguard-images/reference/boring-registry/provenance_info.md b/content/chainguard/chainguard-images/reference/boring-registry/provenance_info.md index a186b42cfc..4811217c2b 100644 --- a/content/chainguard/chainguard-images/reference/boring-registry/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/boring-registry/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for boring-registry Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **boring-registry** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/boring-registry | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/boring-registry | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the boring- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the boring-registry image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the boring-registry image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/boring-registry + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/boring-registry ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/boring-registry/tags_history.md b/content/chainguard/chainguard-images/reference/boring-registry/tags_history.md index 58d8e1b106..f09072d7e6 100644 --- a/content/chainguard/chainguard-images/reference/boring-registry/tags_history.md +++ b/content/chainguard/chainguard-images/reference/boring-registry/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the boring-registry Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:71033447c92c8985f57156704255d64847a39e541e831388f07fc48dbfe2298a` | -| `latest` | November 29th | `sha256:e4ddf32f9fa43341c5d35e2f29f45839ca563c37625f7ed174811b86911c92ac` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:3e4d9157bbe161d20ba0c81376bcc2dcee53c7e884ff7cecf44cb592b6fe8464` | +| `latest-dev` | December 6th | `sha256:cdc6c9964e71bbb719fc2790bbab729a2cffab88473cb7d875c4ce3702c5809f` | diff --git a/content/chainguard/chainguard-images/reference/buck2/provenance_info.md b/content/chainguard/chainguard-images/reference/buck2/provenance_info.md index a1745c7c4d..5d3a4e7533 100644 --- a/content/chainguard/chainguard-images/reference/buck2/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/buck2/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for buck2 Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **buck2** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/buck2 | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/buck2 | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the buck2 i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the buck2 image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the buck2 image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/buck2 + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/buck2 ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/buck2/tags_history.md b/content/chainguard/chainguard-images/reference/buck2/tags_history.md index 12dd026df4..e1a2a0554d 100644 --- a/content/chainguard/chainguard-images/reference/buck2/tags_history.md +++ b/content/chainguard/chainguard-images/reference/buck2/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the buck2 Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:0dfe197d12b2bbbe52f6a2834ef89942737e5604755bc93596b74851bb1c4a6b` | -| `latest` | November 29th | `sha256:ffc2b1d16bed45235abedbe9fb79019fcd3315d7ba87e8d7c2a04305a875d762` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:ac77e85eb095684ea761b62bff508fa18402991f81534c0c41511e097c3b5122` | +| `latest` | December 6th | `sha256:65010bc3ac8088689eb7d968e089af0be97627e7c601779570c4b3162975dba0` | diff --git a/content/chainguard/chainguard-images/reference/buildkit/_index.md b/content/chainguard/chainguard-images/reference/buildkit/_index.md new file mode 100644 index 0000000000..1bf31237ad --- /dev/null +++ b/content/chainguard/chainguard-images/reference/buildkit/_index.md @@ -0,0 +1,27 @@ +--- +title: "Image Overview: buildkit" +linktitle: "buildkit" +type: "article" +layout: "single" +description: "Overview: buildkit Chainguard Image" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +menu: + docs: + parent: "images-reference" +weight: 500 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=true url="/chainguard/chainguard-images/reference/buildkit/" >}} +{{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/buildkit/image_specs/" >}} +{{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/buildkit/tags_history/" >}} +{{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/buildkit/provenance_info/" >}} +{{}} + + + diff --git a/content/chainguard/chainguard-images/reference/buildkit/image_specs.md b/content/chainguard/chainguard-images/reference/buildkit/image_specs.md new file mode 100644 index 0000000000..63a48381be --- /dev/null +++ b/content/chainguard/chainguard-images/reference/buildkit/image_specs.md @@ -0,0 +1,74 @@ +--- +title: "buildkit Image Variants" +type: "article" +unlisted: true +description: "Detailed information about the public buildkit Chainguard Image variants" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +weight: 550 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/buildkit/" >}} +{{< tab title="Variants" active=true url="/chainguard/chainguard-images/reference/buildkit/image_specs/" >}} +{{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/buildkit/tags_history/" >}} +{{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/buildkit/provenance_info/" >}} +{{}} + +This page shows detailed information about all public variants of the Chainguard **buildkit** Image. + +## Variants Compared +The **buildkit** Chainguard Image currently has 2 public variants: + +- `latest-root-dev` +- `latest-root` + +The table has detailed information about each of these variants. + +| | latest-root-dev | latest-root | +|--------------|----------------------|----------------------| +| Default User | `root` | `root` | +| Entrypoint | `/usr/bin/buildkitd` | `/usr/bin/buildkitd` | +| CMD | not specified | not specified | +| Workdir | not specified | not specified | +| Has apk? | yes | no | +| Has a shell? | yes | no | + +Check the [tags history page](/chainguard/chainguard-images/reference/buildkit/tags_history/) for the full list of available tags. + +## Packages Included +The table shows package distribution across variants. + +| | latest-root-dev | latest-root | +|--------------------------|-----------------|-------------| +| `apk-tools` | X | | +| `bash` | X | | +| `buildctl` | X | X | +| `buildkitd` | X | X | +| `busybox` | X | | +| `ca-certificates-bundle` | X | X | +| `git` | X | | +| `glibc` | X | X | +| `glibc-locale-posix` | X | X | +| `ld-linux` | X | X | +| `libbrotlicommon1` | X | | +| `libbrotlidec1` | X | | +| `libcrypt1` | X | | +| `libcrypto3` | X | | +| `libcurl-openssl4` | X | | +| `libexpat1` | X | | +| `libnghttp2-14` | X | | +| `libpcre2-8-0` | X | | +| `libseccomp` | X | X | +| `libssl3` | X | | +| `ncurses` | X | | +| `ncurses-terminfo-base` | X | | +| `openssl-config` | X | | +| `runc` | X | X | +| `wolfi-baselayout` | X | X | +| `zlib` | X | | + diff --git a/content/chainguard/chainguard-images/reference/buildkit/provenance_info.md b/content/chainguard/chainguard-images/reference/buildkit/provenance_info.md new file mode 100644 index 0000000000..0683436f92 --- /dev/null +++ b/content/chainguard/chainguard-images/reference/buildkit/provenance_info.md @@ -0,0 +1,88 @@ +--- +title: "Provenance Information for buildkit Images" +type: "article" +unlisted: true +description: "Provenance information for buildkit Chainguard Image" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +weight: 600 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/buildkit/" >}} +{{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/buildkit/image_specs/" >}} +{{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/buildkit/tags_history/" >}} +{{< tab title="Provenance" active=true url="/chainguard/chainguard-images/reference/buildkit/provenance_info/" >}} +{{}} + +All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. + +## Verifying buildkit Image Signatures +The **buildkit** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. + +The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. + +```shell +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/buildkit | jq +``` + +By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. + +## Downloading buildkit Image Attestations + +The following [attestations](https://slsa.dev/attestation-model) for the buildkit image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the buildkit image on `linux/amd64`: + +```shell +cosign download attestation \ + --platform=linux/amd64 \ + --predicate-type=https://spdx.dev/Document \ + cgr.dev/chainguard/buildkit | jq -r .payload | base64 -d | jq .predicate +``` +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. + +## Verifying buildkit Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the buildkit image attestations: + +```shell +cosign verify-attestation \ + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/buildkit +``` + +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: + +``` +Verification for cgr.dev/chainguard/buildkit -- +The following checks were performed on each of these signatures: +- The cosign claims were validated +- Existence of the claims in the transparency log was verified offline +- The code-signing certificate was verified using trusted certificate authority certificates +Certificate subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main +Certificate issuer URL: https://token.actions.githubusercontent.com +GitHub Workflow Trigger: schedule +GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696 +GitHub Workflow Name: .github/workflows/release.yaml +GitHub Workflow Trigger chainguard-images/images +GitHub Workflow Ref: refs/heads/main +... +``` diff --git a/content/chainguard/chainguard-images/reference/buildkit/tags_history.md b/content/chainguard/chainguard-images/reference/buildkit/tags_history.md new file mode 100644 index 0000000000..583520f9d3 --- /dev/null +++ b/content/chainguard/chainguard-images/reference/buildkit/tags_history.md @@ -0,0 +1,30 @@ +--- +title: "buildkit Image Tags History" +type: "article" +unlisted: true +description: "Image Tags and History for the buildkit Chainguard Image" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +weight: 700 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/buildkit/" >}} +{{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/buildkit/image_specs/" >}} +{{< tab title="Tags History" active=true url="/chainguard/chainguard-images/reference/buildkit/tags_history/" >}} +{{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/buildkit/provenance_info/" >}} +{{}} + +The following table contains the most recent tags and digests that can be used to pin your Dockerfile to a specific build of this image. Check our guide on [Using the Tag History API](/chainguard/chainguard-images/using-the-tag-history-api/) for information on how to fetch all tags from an image and how to pin your Dockerfile to a specific digest. + +Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). + +| Tag (s) | Last Changed | Digest | +|--------------------|--------------|---------------------------------------------------------------------------| +| `latest-root` | December 5th | `sha256:0348cf24ac319e7a65a16d2242017dfc769e3218aebfb019feac661495684596` | +| `latest-root-dev` | December 5th | `sha256:2006ec468ac9fb0db868775aa9845f8650d58c952ab875f6f901cd809722ef02` | + diff --git a/content/chainguard/chainguard-images/reference/busybox/provenance_info.md b/content/chainguard/chainguard-images/reference/busybox/provenance_info.md index f9c6ddfad8..14ffae32d3 100644 --- a/content/chainguard/chainguard-images/reference/busybox/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/busybox/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for busybox Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **busybox** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/busybox | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/busybox | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the busybox | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the busybox image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the busybox image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/busybox + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/busybox ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/busybox/tags_history.md b/content/chainguard/chainguard-images/reference/busybox/tags_history.md index d7c52f9c06..8dd742cb05 100644 --- a/content/chainguard/chainguard-images/reference/busybox/tags_history.md +++ b/content/chainguard/chainguard-images/reference/busybox/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the busybox Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,10 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|----------------------------------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2aede1e8f505b647c7b88a71da7e264127190b31404ea3556d3c46f5abbba5fd` | -| `latest-glibc` | November 29th | `sha256:f5f11a14dda5355dff116219302d45f1a4fd018285c8922cf848a9b24cae1f3d` | -| `1.36` `1` `1.36.1` | November 3rd | `sha256:d6a7ed7843540fc638e70069e3b75f8422ac3d871162518abb5cbd0ee4bd1d38` | -| `glibc-1` `glibc-1.36.1` `glibc-1.36` | October 30th | `sha256:8e3662a12cc913bc5d2aec46333589f4823910ef9560d8763f1fb04b2923aff1` | +| Tag (s) | Last Changed | Digest | +|-----------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:ba19f44b6a4f45bacc0d4b5f395ec7f5be645e45d0b6a69cffb6ac5b10b8ca0d` | +| `latest-glibc` | December 6th | `sha256:28db6f1067c565d2a2cf410c823649908e887afa54076241ccd5eaab9086d649` | diff --git a/content/chainguard/chainguard-images/reference/caddy/provenance_info.md b/content/chainguard/chainguard-images/reference/caddy/provenance_info.md index 90ac2e0526..4a661fee79 100644 --- a/content/chainguard/chainguard-images/reference/caddy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/caddy/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for caddy Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **caddy** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/caddy | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/caddy | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the caddy i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the caddy image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the caddy image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/caddy + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/caddy ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/caddy/tags_history.md b/content/chainguard/chainguard-images/reference/caddy/tags_history.md index 700e46ecea..a754556d72 100644 --- a/content/chainguard/chainguard-images/reference/caddy/tags_history.md +++ b/content/chainguard/chainguard-images/reference/caddy/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the caddy Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -26,5 +26,4 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|---------------|---------------------------------------------------------------------------| | `latest-dev` | November 29th | `sha256:137b17c73b914e2224b5489df4a41b58a04584ae1654ec1fb7753e65bc8a2a11` | -| `latest` | October 30th | `sha256:9c908a734c784d2a3b376006ed1fe3896962ebd16c1671fdf331c1664d79a4ad` | diff --git a/content/chainguard/chainguard-images/reference/cadvisor/provenance_info.md b/content/chainguard/chainguard-images/reference/cadvisor/provenance_info.md index f7a9fff0df..20f028e370 100644 --- a/content/chainguard/chainguard-images/reference/cadvisor/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cadvisor/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cadvisor Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cadvisor** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cadvisor | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cadvisor | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cadviso | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cadvisor image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cadvisor image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cadvisor + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cadvisor ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cadvisor/tags_history.md b/content/chainguard/chainguard-images/reference/cadvisor/tags_history.md index 63f6a735eb..b67f391b3a 100644 --- a/content/chainguard/chainguard-images/reference/cadvisor/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cadvisor/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cadvisor Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:79d501a6c667f8ced662e5ac8737e5261aed24add003abeaf65b10d529b10892` | -| `latest-dev` | November 29th | `sha256:e3aecc7723c813edae44a4886030294e557e0fc8ab0cce8362e5003c5d559c45` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c1ff5d49f49424d6e5f919e0b02f45dee38e233d3b72d7d1d375b853cd4284a1` | +| `latest-dev` | December 6th | `sha256:de9b5541f993299f970d2a42290eec08942eb95b38e1a0d06c80519c97e2e9a4` | diff --git a/content/chainguard/chainguard-images/reference/calico-cni/_index.md b/content/chainguard/chainguard-images/reference/calico-cni/_index.md index 26e10a593f..d4849c0833 100644 --- a/content/chainguard/chainguard-images/reference/calico-cni/_index.md +++ b/content/chainguard/chainguard-images/reference/calico-cni/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: calico-cni Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -30,20 +30,20 @@ toc: true -## Get It! -The image is available on `cgr.dev`: - -``` -docker pull cgr.dev/chainguard/calico:latest -``` ## Installation -There are several ways to install Calico. This document follows the upstream recommended way with the `tigera-operator` ([ref](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico)). +There are several ways you can install Calico onto a Kubernetes cluster. This document follows method recommended in the [official Calico documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) which involves using the Tigera Calico operator. -There are two CRDs involved that work together to use the correct Chainguard Images: +After setting up and connecting to the Kubernetes cluster where you want to install Calico, install the Tigera Calico operator and custom resource definitions (CRDs). + +```shell +kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/tigera-operator.yaml +``` + +Then apply the following YAML manifest to create two CRDs. ```yaml --- @@ -85,6 +85,12 @@ spec: imagePrefix: calico- ``` -The above combination of `ImageSet` and `Installation` can be used as a drop in replacement for the [upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) step 2 (`custom-resources.yaml`) to correctly rename the Calico images to their `cgr.dev` variants. +The combination of these `ImageSet` and `Installation` CRDs serve as a drop in replacement for [Step 2 of the upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico). Together, these correctly rename the Calico images to their `cgr.dev` variants. + +After creating the CRDs, you can ensure that the pods are running with a command like the following. + +```shell +kubectl get pods -n calico-system +``` diff --git a/content/chainguard/chainguard-images/reference/calico-cni/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-cni/provenance_info.md index 185f01b8f3..5558976896 100644 --- a/content/chainguard/chainguard-images/reference/calico-cni/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-cni/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for calico-cni Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **calico-cni** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/calico-cni | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-cni | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the calico- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-cni image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-cni image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/calico-cni + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-cni ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/calico-cni/tags_history.md b/content/chainguard/chainguard-images/reference/calico-cni/tags_history.md index 203adb8f1f..5e2b7d4600 100644 --- a/content/chainguard/chainguard-images/reference/calico-cni/tags_history.md +++ b/content/chainguard/chainguard-images/reference/calico-cni/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the calico-cni Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3561e0d3aa1868bffad1290220aa4ba98f592b5c0d7910a110689e13e9e58681` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:a95551d1423cd7e44bc01eaacd9474102ac4062c6a8b6fc7da19a9876785d3d5` | diff --git a/content/chainguard/chainguard-images/reference/calico-csi/_index.md b/content/chainguard/chainguard-images/reference/calico-csi/_index.md index 70d29466eb..355fe5ee34 100644 --- a/content/chainguard/chainguard-images/reference/calico-csi/_index.md +++ b/content/chainguard/chainguard-images/reference/calico-csi/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: calico-csi Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -30,20 +30,20 @@ toc: true -## Get It! -The image is available on `cgr.dev`: - -``` -docker pull cgr.dev/chainguard/calico:latest -``` ## Installation -There are several ways to install Calico. This document follows the upstream recommended way with the `tigera-operator` ([ref](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico)). +There are several ways you can install Calico onto a Kubernetes cluster. This document follows method recommended in the [official Calico documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) which involves using the Tigera Calico operator. -There are two CRDs involved that work together to use the correct Chainguard Images: +After setting up and connecting to the Kubernetes cluster where you want to install Calico, install the Tigera Calico operator and custom resource definitions (CRDs). + +```shell +kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/tigera-operator.yaml +``` + +Then apply the following YAML manifest to create two CRDs. ```yaml --- @@ -85,6 +85,12 @@ spec: imagePrefix: calico- ``` -The above combination of `ImageSet` and `Installation` can be used as a drop in replacement for the [upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) step 2 (`custom-resources.yaml`) to correctly rename the Calico images to their `cgr.dev` variants. +The combination of these `ImageSet` and `Installation` CRDs serve as a drop in replacement for [Step 2 of the upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico). Together, these correctly rename the Calico images to their `cgr.dev` variants. + +After creating the CRDs, you can ensure that the pods are running with a command like the following. + +```shell +kubectl get pods -n calico-system +``` diff --git a/content/chainguard/chainguard-images/reference/calico-csi/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-csi/provenance_info.md index 6cc2b333dc..a1c0b91323 100644 --- a/content/chainguard/chainguard-images/reference/calico-csi/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-csi/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for calico-csi Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **calico-csi** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/calico-csi | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-csi | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the calico- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-csi image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-csi image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/calico-csi + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-csi ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/calico-csi/tags_history.md b/content/chainguard/chainguard-images/reference/calico-csi/tags_history.md index 137d93c80c..aab249260f 100644 --- a/content/chainguard/chainguard-images/reference/calico-csi/tags_history.md +++ b/content/chainguard/chainguard-images/reference/calico-csi/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the calico-csi Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3678b8fea34dfd297cd6bafec28460e2db943122ca595befb14b9dd15a8e7028` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:4b0545d654b55734099e86514e8b2ec4fc04ec74df3f2d1dd0f00b73d29348db` | diff --git a/content/chainguard/chainguard-images/reference/calico-kube-controllers/_index.md b/content/chainguard/chainguard-images/reference/calico-kube-controllers/_index.md index 08b0dc0619..b597c50fea 100644 --- a/content/chainguard/chainguard-images/reference/calico-kube-controllers/_index.md +++ b/content/chainguard/chainguard-images/reference/calico-kube-controllers/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: calico-kube-controllers Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -30,20 +30,20 @@ toc: true -## Get It! -The image is available on `cgr.dev`: - -``` -docker pull cgr.dev/chainguard/calico:latest -``` ## Installation -There are several ways to install Calico. This document follows the upstream recommended way with the `tigera-operator` ([ref](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico)). +There are several ways you can install Calico onto a Kubernetes cluster. This document follows method recommended in the [official Calico documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) which involves using the Tigera Calico operator. -There are two CRDs involved that work together to use the correct Chainguard Images: +After setting up and connecting to the Kubernetes cluster where you want to install Calico, install the Tigera Calico operator and custom resource definitions (CRDs). + +```shell +kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/tigera-operator.yaml +``` + +Then apply the following YAML manifest to create two CRDs. ```yaml --- @@ -85,6 +85,12 @@ spec: imagePrefix: calico- ``` -The above combination of `ImageSet` and `Installation` can be used as a drop in replacement for the [upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) step 2 (`custom-resources.yaml`) to correctly rename the Calico images to their `cgr.dev` variants. +The combination of these `ImageSet` and `Installation` CRDs serve as a drop in replacement for [Step 2 of the upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico). Together, these correctly rename the Calico images to their `cgr.dev` variants. + +After creating the CRDs, you can ensure that the pods are running with a command like the following. + +```shell +kubectl get pods -n calico-system +``` diff --git a/content/chainguard/chainguard-images/reference/calico-kube-controllers/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-kube-controllers/provenance_info.md index 2a6ccf641e..ec7d0ed2d8 100644 --- a/content/chainguard/chainguard-images/reference/calico-kube-controllers/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-kube-controllers/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for calico-kube-controllers Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **calico-kube-controllers** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/calico-kube-controllers | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-kube-controllers | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the calico- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-kube-controllers image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-kube-controllers image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/calico-kube-controllers + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-kube-controllers ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/calico-kube-controllers/tags_history.md b/content/chainguard/chainguard-images/reference/calico-kube-controllers/tags_history.md index 7fa50da713..ccad6ee20b 100644 --- a/content/chainguard/chainguard-images/reference/calico-kube-controllers/tags_history.md +++ b/content/chainguard/chainguard-images/reference/calico-kube-controllers/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the calico-kube-controllers Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2a1ffd8afb305e6c6bd46033be5bab9ce47113813a8192008960e535d3aca7bf` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c87a85cd1c5c1f57b234c45e47c5039c5978c2e1a6159be11f018441e33706bb` | diff --git a/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/_index.md b/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/_index.md index daf45d4560..e21661f9fa 100644 --- a/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/_index.md +++ b/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: calico-node-driver-registrar Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -30,20 +30,20 @@ toc: true -## Get It! -The image is available on `cgr.dev`: - -``` -docker pull cgr.dev/chainguard/calico:latest -``` ## Installation -There are several ways to install Calico. This document follows the upstream recommended way with the `tigera-operator` ([ref](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico)). +There are several ways you can install Calico onto a Kubernetes cluster. This document follows method recommended in the [official Calico documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) which involves using the Tigera Calico operator. -There are two CRDs involved that work together to use the correct Chainguard Images: +After setting up and connecting to the Kubernetes cluster where you want to install Calico, install the Tigera Calico operator and custom resource definitions (CRDs). + +```shell +kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/tigera-operator.yaml +``` + +Then apply the following YAML manifest to create two CRDs. ```yaml --- @@ -85,6 +85,12 @@ spec: imagePrefix: calico- ``` -The above combination of `ImageSet` and `Installation` can be used as a drop in replacement for the [upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) step 2 (`custom-resources.yaml`) to correctly rename the Calico images to their `cgr.dev` variants. +The combination of these `ImageSet` and `Installation` CRDs serve as a drop in replacement for [Step 2 of the upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico). Together, these correctly rename the Calico images to their `cgr.dev` variants. + +After creating the CRDs, you can ensure that the pods are running with a command like the following. + +```shell +kubectl get pods -n calico-system +``` diff --git a/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/provenance_info.md index 58e72889f3..8a9e1baede 100644 --- a/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for calico-node-driver-registrar Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **calico-node-driver-registrar** Chainguard Images are signed using Sigstore The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/calico-node-driver-registrar | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-node-driver-registrar | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the calico- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-node-driver-registrar image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-node-driver-registrar image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/calico-node-driver-registrar + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-node-driver-registrar ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/tags_history.md b/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/tags_history.md index 0835d98c51..4d3210e1d7 100644 --- a/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/tags_history.md +++ b/content/chainguard/chainguard-images/reference/calico-node-driver-registrar/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the calico-node-driver-registrar Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:be3b7b9eae337bb9f5ab85a6bbb8e065430659773610633236244a9ef2b3c1d9` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:eef323a59ff64b581629c3af9492bcd9812123400c37701e695ec1beae535f42` | diff --git a/content/chainguard/chainguard-images/reference/calico-node/_index.md b/content/chainguard/chainguard-images/reference/calico-node/_index.md index bd3feb042c..073eacd822 100644 --- a/content/chainguard/chainguard-images/reference/calico-node/_index.md +++ b/content/chainguard/chainguard-images/reference/calico-node/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: calico-node Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -30,20 +30,20 @@ toc: true -## Get It! -The image is available on `cgr.dev`: - -``` -docker pull cgr.dev/chainguard/calico:latest -``` ## Installation -There are several ways to install Calico. This document follows the upstream recommended way with the `tigera-operator` ([ref](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico)). +There are several ways you can install Calico onto a Kubernetes cluster. This document follows method recommended in the [official Calico documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) which involves using the Tigera Calico operator. -There are two CRDs involved that work together to use the correct Chainguard Images: +After setting up and connecting to the Kubernetes cluster where you want to install Calico, install the Tigera Calico operator and custom resource definitions (CRDs). + +```shell +kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/tigera-operator.yaml +``` + +Then apply the following YAML manifest to create two CRDs. ```yaml --- @@ -85,6 +85,12 @@ spec: imagePrefix: calico- ``` -The above combination of `ImageSet` and `Installation` can be used as a drop in replacement for the [upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) step 2 (`custom-resources.yaml`) to correctly rename the Calico images to their `cgr.dev` variants. +The combination of these `ImageSet` and `Installation` CRDs serve as a drop in replacement for [Step 2 of the upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico). Together, these correctly rename the Calico images to their `cgr.dev` variants. + +After creating the CRDs, you can ensure that the pods are running with a command like the following. + +```shell +kubectl get pods -n calico-system +``` diff --git a/content/chainguard/chainguard-images/reference/calico-node/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-node/provenance_info.md index c41e6baf9a..b9dff04eda 100644 --- a/content/chainguard/chainguard-images/reference/calico-node/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-node/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for calico-node Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **calico-node** Chainguard Images are signed using Sigstore, and you can che The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/calico-node | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-node | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the calico- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-node image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-node image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/calico-node + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-node ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/calico-node/tags_history.md b/content/chainguard/chainguard-images/reference/calico-node/tags_history.md index 6d8543f5d8..c61a1bba79 100644 --- a/content/chainguard/chainguard-images/reference/calico-node/tags_history.md +++ b/content/chainguard/chainguard-images/reference/calico-node/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the calico-node Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3d9bb0a266d072a70d3a07e153398cc820fa867482bc7ca2e812db9ab9a59977` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:ca687a9beb87cb440af746572ceba997dfbb843168c6b021ee41a22bca58cb0f` | diff --git a/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/_index.md b/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/_index.md index 78cdf5063f..0a49f0a6f8 100644 --- a/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/_index.md +++ b/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: calico-pod2daemon-flexvol Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -30,20 +30,20 @@ toc: true -## Get It! -The image is available on `cgr.dev`: - -``` -docker pull cgr.dev/chainguard/calico:latest -``` ## Installation -There are several ways to install Calico. This document follows the upstream recommended way with the `tigera-operator` ([ref](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico)). +There are several ways you can install Calico onto a Kubernetes cluster. This document follows method recommended in the [official Calico documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) which involves using the Tigera Calico operator. -There are two CRDs involved that work together to use the correct Chainguard Images: +After setting up and connecting to the Kubernetes cluster where you want to install Calico, install the Tigera Calico operator and custom resource definitions (CRDs). + +```shell +kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/tigera-operator.yaml +``` + +Then apply the following YAML manifest to create two CRDs. ```yaml --- @@ -85,6 +85,12 @@ spec: imagePrefix: calico- ``` -The above combination of `ImageSet` and `Installation` can be used as a drop in replacement for the [upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) step 2 (`custom-resources.yaml`) to correctly rename the Calico images to their `cgr.dev` variants. +The combination of these `ImageSet` and `Installation` CRDs serve as a drop in replacement for [Step 2 of the upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico). Together, these correctly rename the Calico images to their `cgr.dev` variants. + +After creating the CRDs, you can ensure that the pods are running with a command like the following. + +```shell +kubectl get pods -n calico-system +``` diff --git a/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/provenance_info.md index 2e61c54edc..8cfe57067f 100644 --- a/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for calico-pod2daemon-flexvol Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **calico-pod2daemon-flexvol** Chainguard Images are signed using Sigstore, a The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/calico-pod2daemon-flexvol | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-pod2daemon-flexvol | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the calico- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-pod2daemon-flexvol image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-pod2daemon-flexvol image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/calico-pod2daemon-flexvol + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-pod2daemon-flexvol ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/tags_history.md b/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/tags_history.md index 54dc7e3657..e2ebf940ec 100644 --- a/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/tags_history.md +++ b/content/chainguard/chainguard-images/reference/calico-pod2daemon-flexvol/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the calico-pod2daemon-flexvol Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:0c2a2e80d88bca68b7483be0207bade5d19f262e2eb503edbce5c8924046aa53` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:5cd8dd3a0039d531a32e2e70adc336553764135f6177797674cbe332087b2979` | diff --git a/content/chainguard/chainguard-images/reference/calico-typha/_index.md b/content/chainguard/chainguard-images/reference/calico-typha/_index.md index a0d3d5be52..9e10b28440 100644 --- a/content/chainguard/chainguard-images/reference/calico-typha/_index.md +++ b/content/chainguard/chainguard-images/reference/calico-typha/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: calico-typha Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -30,20 +30,20 @@ toc: true -## Get It! -The image is available on `cgr.dev`: - -``` -docker pull cgr.dev/chainguard/calico:latest -``` ## Installation -There are several ways to install Calico. This document follows the upstream recommended way with the `tigera-operator` ([ref](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico)). +There are several ways you can install Calico onto a Kubernetes cluster. This document follows method recommended in the [official Calico documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) which involves using the Tigera Calico operator. -There are two CRDs involved that work together to use the correct Chainguard Images: +After setting up and connecting to the Kubernetes cluster where you want to install Calico, install the Tigera Calico operator and custom resource definitions (CRDs). + +```shell +kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/tigera-operator.yaml +``` + +Then apply the following YAML manifest to create two CRDs. ```yaml --- @@ -85,6 +85,12 @@ spec: imagePrefix: calico- ``` -The above combination of `ImageSet` and `Installation` can be used as a drop in replacement for the [upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) step 2 (`custom-resources.yaml`) to correctly rename the Calico images to their `cgr.dev` variants. +The combination of these `ImageSet` and `Installation` CRDs serve as a drop in replacement for [Step 2 of the upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico). Together, these correctly rename the Calico images to their `cgr.dev` variants. + +After creating the CRDs, you can ensure that the pods are running with a command like the following. + +```shell +kubectl get pods -n calico-system +``` diff --git a/content/chainguard/chainguard-images/reference/calico-typha/provenance_info.md b/content/chainguard/chainguard-images/reference/calico-typha/provenance_info.md index 4f79c2dd4f..4d3f28b3fe 100644 --- a/content/chainguard/chainguard-images/reference/calico-typha/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calico-typha/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for calico-typha Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **calico-typha** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/calico-typha | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-typha | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the calico- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-typha image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calico-typha image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/calico-typha + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calico-typha ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/calico-typha/tags_history.md b/content/chainguard/chainguard-images/reference/calico-typha/tags_history.md index 01d7738eb2..3908ddd702 100644 --- a/content/chainguard/chainguard-images/reference/calico-typha/tags_history.md +++ b/content/chainguard/chainguard-images/reference/calico-typha/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the calico-typha Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:78c222d8f7d456739d2e2dfd4c901ff5434ab4172ffff508306c6fa375b00b14` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:cd1b484b4d0b6a3f19e9cec102e388618b6acfe992617d50a0a472d5b7f29292` | diff --git a/content/chainguard/chainguard-images/reference/calicoctl/_index.md b/content/chainguard/chainguard-images/reference/calicoctl/_index.md index f5371368a7..981666f5a6 100644 --- a/content/chainguard/chainguard-images/reference/calicoctl/_index.md +++ b/content/chainguard/chainguard-images/reference/calicoctl/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: calicoctl Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -30,20 +30,20 @@ toc: true -## Get It! -The image is available on `cgr.dev`: - -``` -docker pull cgr.dev/chainguard/calico:latest -``` ## Installation -There are several ways to install Calico. This document follows the upstream recommended way with the `tigera-operator` ([ref](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico)). +There are several ways you can install Calico onto a Kubernetes cluster. This document follows method recommended in the [official Calico documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) which involves using the Tigera Calico operator. -There are two CRDs involved that work together to use the correct Chainguard Images: +After setting up and connecting to the Kubernetes cluster where you want to install Calico, install the Tigera Calico operator and custom resource definitions (CRDs). + +```shell +kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/tigera-operator.yaml +``` + +Then apply the following YAML manifest to create two CRDs. ```yaml --- @@ -85,6 +85,12 @@ spec: imagePrefix: calico- ``` -The above combination of `ImageSet` and `Installation` can be used as a drop in replacement for the [upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico) step 2 (`custom-resources.yaml`) to correctly rename the Calico images to their `cgr.dev` variants. +The combination of these `ImageSet` and `Installation` CRDs serve as a drop in replacement for [Step 2 of the upstream documentation](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico). Together, these correctly rename the Calico images to their `cgr.dev` variants. + +After creating the CRDs, you can ensure that the pods are running with a command like the following. + +```shell +kubectl get pods -n calico-system +``` diff --git a/content/chainguard/chainguard-images/reference/calicoctl/provenance_info.md b/content/chainguard/chainguard-images/reference/calicoctl/provenance_info.md index 23b7352b87..f6f1cd917b 100644 --- a/content/chainguard/chainguard-images/reference/calicoctl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/calicoctl/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for calicoctl Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **calicoctl** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/calicoctl | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calicoctl | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the calicoc | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calicoctl image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the calicoctl image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/calicoctl + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/calicoctl ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/calicoctl/tags_history.md b/content/chainguard/chainguard-images/reference/calicoctl/tags_history.md index b91c825620..06e5027175 100644 --- a/content/chainguard/chainguard-images/reference/calicoctl/tags_history.md +++ b/content/chainguard/chainguard-images/reference/calicoctl/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the calicoctl Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:0c06b663b2a693bb411af6caa2669d285ea9ed5bd8b6d83b6d27abdbb2b3b1c9` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:491c39011ae3c2878ff227702f49c5165985b99e8b7f29339232b35f71b39e58` | diff --git a/content/chainguard/chainguard-images/reference/cassandra/provenance_info.md b/content/chainguard/chainguard-images/reference/cassandra/provenance_info.md index 2eedf05db6..63f7c9a731 100644 --- a/content/chainguard/chainguard-images/reference/cassandra/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cassandra/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cassandra Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cassandra** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cassandra | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cassandra | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cassand | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cassandra image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cassandra image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cassandra + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cassandra ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cassandra/tags_history.md b/content/chainguard/chainguard-images/reference/cassandra/tags_history.md index 725e4d3d62..b603ae8d79 100644 --- a/content/chainguard/chainguard-images/reference/cassandra/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cassandra/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cassandra Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:5d5299c3bb7b33ac72639f051599c442b1fddf895c487d2fc9e8c508959ceb9a` | -| `latest-dev` | November 29th | `sha256:06a8f79f77ab5f77d74293ac57ad480f892ec78f027ffcd6b535cd168fb7019b` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:23c742e38d9a0860aa710bfd48d1c1b1115305d23bf786b842a2b5dea3098563` | +| `latest-dev` | December 6th | `sha256:408e630f6f2e5b33f2d6022027fec12fc28f569375f169eab9c2ae78980181d2` | diff --git a/content/chainguard/chainguard-images/reference/cc-dynamic/provenance_info.md b/content/chainguard/chainguard-images/reference/cc-dynamic/provenance_info.md index ee02161306..fc7223db9a 100644 --- a/content/chainguard/chainguard-images/reference/cc-dynamic/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cc-dynamic/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cc-dynamic Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cc-dynamic** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cc-dynamic | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cc-dynamic | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cc-dyna | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cc-dynamic image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cc-dynamic image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cc-dynamic + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cc-dynamic ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cc-dynamic/tags_history.md b/content/chainguard/chainguard-images/reference/cc-dynamic/tags_history.md index 62afaf029b..e46e0cf4aa 100644 --- a/content/chainguard/chainguard-images/reference/cc-dynamic/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cc-dynamic/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cc-dynamic Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:775805ee3d18743bce13579b032d62a2e818a68a3b65f89ca146cf349ca03e5b` | -| `latest-dev` | November 29th | `sha256:c8a532dc2f13b87ff8c7184d9dd55b6a14d4f584b45fba9f8e42d73e42e2b741` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:1eaa105b7e040f1e4306bf5a2b651fffb0eb3f0087697081d530eec98211ecdd` | +| `latest-dev` | December 6th | `sha256:153372d5be4a5a11ce030eb6734515c90fba75106ddb71efd0c5d95cc8cb17c0` | diff --git a/content/chainguard/chainguard-images/reference/cedar/provenance_info.md b/content/chainguard/chainguard-images/reference/cedar/provenance_info.md index ff7bc98679..7aa5d6ff53 100644 --- a/content/chainguard/chainguard-images/reference/cedar/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cedar/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cedar Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cedar** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cedar | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cedar | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cedar i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cedar image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cedar image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cedar + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cedar ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cedar/tags_history.md b/content/chainguard/chainguard-images/reference/cedar/tags_history.md index ffa9adfff0..6b478ac0aa 100644 --- a/content/chainguard/chainguard-images/reference/cedar/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cedar/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cedar Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:9e156ca2dcc8b544d26e61f82483d7fa1e4aea8d2c368b7b6c2fe2d7f5001256` | -| `latest` | November 29th | `sha256:1028466814ec3bb777eced82104b685e07df017767b51b812791b23d1c7add30` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:c1f441a49da8bb258d5eaf1962312a7bb37d250e02d6183a64c88a30d70f3612` | +| `latest` | December 6th | `sha256:60134442c055e4e04c92f89a0f8ad224b36c6782e1dcd79141a56d45520a4bba` | diff --git a/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/provenance_info.md b/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/provenance_info.md index 6cbec3d1b2..49aed55aae 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cert-manager-acmesolver Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cert-manager-acmesolver** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cert-manager-acmesolver | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cert-manager-acmesolver | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cert-ma | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-acmesolver image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-acmesolver image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cert-manager-acmesolver + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cert-manager-acmesolver ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/tags_history.md b/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/tags_history.md index b80a57bd94..b524c792c4 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-acmesolver/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cert-manager-acmesolver Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:b85c08a8a87523ac5a7f4a24792c3a35b2fc6433a99af09d6e314006f0fa8c9d` | -| `latest-dev` | November 29th | `sha256:55aad63709a185ef84faec2c1f9b36b996c1e25acc4482d07214913b797c5338` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:348f9609d937dbc8789badf4ca630523ee78ea9e4b6d81e5c452874c5a140728` | +| `latest-dev` | December 6th | `sha256:ceefc5846bd15b656f034545065b962f264b8db2caefab6d7b2cfe1cb19e9c01` | diff --git a/content/chainguard/chainguard-images/reference/cert-manager-cainjector/provenance_info.md b/content/chainguard/chainguard-images/reference/cert-manager-cainjector/provenance_info.md index f18fa36fd4..70fc337088 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-cainjector/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-cainjector/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cert-manager-cainjector Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cert-manager-cainjector** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cert-manager-cainjector | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cert-manager-cainjector | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cert-ma | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-cainjector image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-cainjector image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cert-manager-cainjector + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cert-manager-cainjector ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cert-manager-cainjector/tags_history.md b/content/chainguard/chainguard-images/reference/cert-manager-cainjector/tags_history.md index 089824f7ac..9e0f8d02aa 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-cainjector/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-cainjector/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cert-manager-cainjector Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:512d757862872003b8a72bd4c4501b7f727a947027d2d291361875990520dca6` | -| `latest` | November 24th | `sha256:ec55186a10c6c3855e86f9979d3141cd6ab5a4922417cceeb74d64150ae32633` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:7208b28418036febcbc4a582df2c0ea7af8ada1f82fc3ff51428ec54ef5df082` | +| `latest-dev` | December 6th | `sha256:66a6798e2743e2a120b5fabd6d6522cef648b62b2aeddafd4a9fc3919b9a54ef` | diff --git a/content/chainguard/chainguard-images/reference/cert-manager-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/cert-manager-controller/provenance_info.md index 0f709eb3cf..ff8f167106 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cert-manager-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cert-manager-controller** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cert-manager-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cert-manager-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cert-ma | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cert-manager-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cert-manager-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cert-manager-controller/tags_history.md b/content/chainguard/chainguard-images/reference/cert-manager-controller/tags_history.md index afb4c19e5b..c66ac897ca 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cert-manager-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:7b090920e79e667e571c689af454421ee30de1dc856d62a04d8ca7f3c361cd11` | -| `latest-dev` | November 29th | `sha256:7c58d0852299717287197ac03332ce6ce8fc04a078681839d509c844cb4d9f57` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:c665e7c7faab60c31c850b079357209fe28786518daa648397226e6e04130b82` | +| `latest` | December 6th | `sha256:91f38ac46342a42e40a1ffc291d53a8e6770071301fb48d1a88292449c41fad9` | diff --git a/content/chainguard/chainguard-images/reference/cert-manager-webhook/provenance_info.md b/content/chainguard/chainguard-images/reference/cert-manager-webhook/provenance_info.md index 6c10836c16..b4beb70ef6 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-webhook/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-webhook/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cert-manager-webhook Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cert-manager-webhook** Chainguard Images are signed using Sigstore, and yo The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cert-manager-webhook | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cert-manager-webhook | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cert-ma | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-webhook image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cert-manager-webhook image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cert-manager-webhook + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cert-manager-webhook ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cert-manager-webhook/tags_history.md b/content/chainguard/chainguard-images/reference/cert-manager-webhook/tags_history.md index 37aee8efdd..4730000265 100644 --- a/content/chainguard/chainguard-images/reference/cert-manager-webhook/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cert-manager-webhook/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cert-manager-webhook Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:9db84e4f4dba624bad56a123191b2fd4df61ca93deb58a5913340e2c6aa4e890` | -| `latest` | November 29th | `sha256:710e733f46ec482d9c7fbd29879966b34d3469c21e5f19b00d1d3792c20acf85` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:f28319bb5c6e4a3b3f8b1a2502553d3c9378840773c7d2b7d60f6c76cc90720e` | +| `latest` | December 6th | `sha256:d939ad37d14e2997d4bf61b3f29a6dc11df3ac7251a8605ec4a13e2c380693d1` | diff --git a/content/chainguard/chainguard-images/reference/cfssl/provenance_info.md b/content/chainguard/chainguard-images/reference/cfssl/provenance_info.md index 7453ae10ac..c05904dec1 100644 --- a/content/chainguard/chainguard-images/reference/cfssl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cfssl/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cfssl Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cfssl** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cfssl | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cfssl | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cfssl i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cfssl image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cfssl image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cfssl + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cfssl ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cfssl/tags_history.md b/content/chainguard/chainguard-images/reference/cfssl/tags_history.md index 504b426736..faa24b77ca 100644 --- a/content/chainguard/chainguard-images/reference/cfssl/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cfssl/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cfssl Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:197ab43b913fc9b736d1429407d25ec07a38f9ee6f15506e32982bed842a6a03` | -| `latest-dev` | November 29th | `sha256:a9ede015b0a677059156e22aece0fdef12aa42c8d343446ba3e5050436ecdc0a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:76381b46d787dc380b1fecf664480309bece8f05fe1e25df16b3d6092774e3b5` | +| `latest-dev` | December 6th | `sha256:0b49281724464524766f8e22feb7b8c3e2a09d421fcd902c1a471d25aaef901a` | diff --git a/content/chainguard/chainguard-images/reference/cilium-agent/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-agent/provenance_info.md index 415130682b..1bf279d9bb 100644 --- a/content/chainguard/chainguard-images/reference/cilium-agent/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-agent/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cilium-agent Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cilium-agent** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cilium-agent | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-agent | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cilium- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-agent image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-agent image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cilium-agent + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-agent ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cilium-agent/tags_history.md b/content/chainguard/chainguard-images/reference/cilium-agent/tags_history.md index 7722f1d96a..83da997456 100644 --- a/content/chainguard/chainguard-images/reference/cilium-agent/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cilium-agent/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cilium-agent Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:97044904c4ddf5e3ab713cc4233b2946ce925962526e48678add8782fb981c22` | -| `latest` | November 29th | `sha256:0761d65527ac053d4c7d6303b14595e8789f8b08d945dc14a925af58916fb01a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:a81891c4b804d3243c2fc10890a28cbbf102602873efe841882617d947ed5ea8` | +| `latest` | December 6th | `sha256:310aba9b967bcf85e9e08a7de458410ebb75ef9e2640d2417b4ef53db0a77fab` | diff --git a/content/chainguard/chainguard-images/reference/cilium-hubble-relay/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-hubble-relay/provenance_info.md index 8da6e1eecc..642bdb7fe2 100644 --- a/content/chainguard/chainguard-images/reference/cilium-hubble-relay/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-hubble-relay/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cilium-hubble-relay Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cilium-hubble-relay** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cilium-hubble-relay | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-hubble-relay | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cilium- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-hubble-relay image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-hubble-relay image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cilium-hubble-relay + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-hubble-relay ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cilium-hubble-relay/tags_history.md b/content/chainguard/chainguard-images/reference/cilium-hubble-relay/tags_history.md index 008a8f2c9c..8e6a9b841e 100644 --- a/content/chainguard/chainguard-images/reference/cilium-hubble-relay/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cilium-hubble-relay/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cilium-hubble-relay Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3f8b3e85ea7c375756fef1a35d255f45cf31a9bbb82366ee7c91caedaf493029` | -| `latest-dev` | November 29th | `sha256:82c61b91eac6b983a407ff699dc28bb47434acb0893a8f3012dbd7328bb7ecae` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:d5f08445c6bbbb22768eaef6790a107be33f21e2c1b76fb5ee9401e38a16ddb6` | +| `latest-dev` | December 6th | `sha256:5315f9c2b86efc329b4965a345d2c37650cd0705d33af1f4f1c32a04a04411a4` | diff --git a/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/provenance_info.md index aadf79883b..39e35ea8d9 100644 --- a/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cilium-hubble-ui-backend Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cilium-hubble-ui-backend** Chainguard Images are signed using Sigstore, an The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cilium-hubble-ui-backend | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-hubble-ui-backend | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cilium- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-hubble-ui-backend image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-hubble-ui-backend image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cilium-hubble-ui-backend + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-hubble-ui-backend ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/tags_history.md b/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/tags_history.md index 02732126b5..f86d0ac7b1 100644 --- a/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cilium-hubble-ui-backend/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cilium-hubble-ui-backend Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:97aee1aa0198f4b993f49b11709d88229242f0c1ab3a6ce4d072125ced69918a` | -| `latest` | November 29th | `sha256:c4a1ca305531de39e9bd4b88a587c93e419f811f6750a06c268d736301e658fe` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:dd32bc4b2a4bbc37790756e373fdeb5b873273db235785868ae09d321f4a4472` | +| `latest-dev` | December 6th | `sha256:c35983b4ad383635feaf41af00a552bc8fdf34f8ae4f61acff4788fd78eb9659` | diff --git a/content/chainguard/chainguard-images/reference/cilium-hubble-ui/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-hubble-ui/provenance_info.md index 361fb33e1b..90e09bb155 100644 --- a/content/chainguard/chainguard-images/reference/cilium-hubble-ui/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-hubble-ui/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cilium-hubble-ui Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cilium-hubble-ui** Chainguard Images are signed using Sigstore, and you ca The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cilium-hubble-ui | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-hubble-ui | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cilium- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-hubble-ui image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-hubble-ui image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cilium-hubble-ui + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-hubble-ui ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cilium-hubble-ui/tags_history.md b/content/chainguard/chainguard-images/reference/cilium-hubble-ui/tags_history.md index 41ef2f2912..eb44dd6dda 100644 --- a/content/chainguard/chainguard-images/reference/cilium-hubble-ui/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cilium-hubble-ui/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cilium-hubble-ui Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:9d494557cb1bec077c37f4a31efa790999efb02db9f22cb37041459db5fef341` | -| `latest-dev` | November 29th | `sha256:74d40bcc62e8726fe8c9463d312fd0370e12e7790369942d99379f3844d8b0c9` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:b1263a9a6a7c27373808d73eb460fd459de2df296db4527779200e79d789b67f` | +| `latest` | December 6th | `sha256:94246ba2baaeda23f01e17cce623a01709491d62758595c6965ae8f9e362400c` | diff --git a/content/chainguard/chainguard-images/reference/cilium-operator-generic/provenance_info.md b/content/chainguard/chainguard-images/reference/cilium-operator-generic/provenance_info.md index c708a8b3c6..54d5f9017f 100644 --- a/content/chainguard/chainguard-images/reference/cilium-operator-generic/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cilium-operator-generic/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cilium-operator-generic Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cilium-operator-generic** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cilium-operator-generic | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-operator-generic | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cilium- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-operator-generic image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cilium-operator-generic image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cilium-operator-generic + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cilium-operator-generic ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cilium-operator-generic/tags_history.md b/content/chainguard/chainguard-images/reference/cilium-operator-generic/tags_history.md index 9c75075785..78f1945c9d 100644 --- a/content/chainguard/chainguard-images/reference/cilium-operator-generic/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cilium-operator-generic/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cilium-operator-generic Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d0f63a3bd8a26f7a5f10334b4cef5bf9c3abc27b3bc372c27e147de86c08d202` | -| `latest-dev` | November 29th | `sha256:21fb25fbdea65539c8e3641f94ad5e3e0c4cb19779b031a3152e8e56f5d6f0cd` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:e89a144e5b12fc6825c7533628c64ad9a2b66c0be9e38bca214158fc85832a73` | +| `latest-dev` | December 6th | `sha256:ae73d71722bbb687ae07c843234f2f76f223db3f07f7ddbf816d379c8ad3ed4b` | diff --git a/content/chainguard/chainguard-images/reference/clang/_index.md b/content/chainguard/chainguard-images/reference/clang/_index.md index e137d54165..bc8d4c8853 100644 --- a/content/chainguard/chainguard-images/reference/clang/_index.md +++ b/content/chainguard/chainguard-images/reference/clang/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: clang Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -26,7 +26,7 @@ toc: true -[Clang](https://clang.llvm.org) is a compiler front end for the C, C++, Objective-C, and Objective-C++ programming languages, as well as the OpenMP, OpenCL, RenderScript, CUDA, SYCL, and HIP frameworks +[Clang](https://clang.llvm.org) is a compiler front end for the C, C++, Objective-C, and Objective-C++ programming languages, as well as the OpenMP, OpenCL, RenderScript, CUDA, SYCL, and HIP frameworks. @@ -39,5 +39,51 @@ docker pull cgr.dev/chainguard/clang:latest - + +## Use It! + +To illustrate working with the Clang Chainguard Image, this section outlines how you can use it to compile a "Hello World!" program written in C. + +To begin, run the following command to create a file named `hello.c` to hold the C code. + +```shell +cat > /tmp/hello.c < + +int main() { + printf("Hello World!\n"); + return 0; +} +EOF +``` + +To simplify cleanup, this command places the file in the `/tmp` temporary directory. + +Next, run the following `docker` command. This will mount the contents of your local `/tmp` directory (including the `hello.c` file) into the container's `work` directory. Once there, Clang will compile the C code into an executable program named `hello`. + +```shell +docker run --rm -v /tmp:/work cgr.dev/chainguard/clang:latest hello.c -o /work/hello +``` + +The `hello` program will be stored back in your local `/tmp` directory. You can test that everything worked correctly by executing this program. + +```shell +/tmp/hello +``` +``` +Hello World! +``` + +Be aware that, depending on your local machine's operating system, you may not be able to execute this file directly like this. This may be because the program is built with [Wolfi](https://edu.chainguard.dev/open-source/wolfi/overview/). This creates an executable in the Executable and Linkable Format, the standard file format for Linux executables. Other systems might expect a different format; for example, this executable can't run directly on MacOS systems, which instead expect the Mach-O format. It could also be that your machine's `/tmp` directory was mounted with the `noexec` option, preventing anything stored in that directory from being executed. + +If you receive an error when trying to run the `hello` program, you can try using another Wolfi-based image to execute it, like so. + +```shell +docker run --rm -v /tmp:/work cgr.dev/chainguard/bash /work/hello +``` +``` +. . . +Hello World! +``` + diff --git a/content/chainguard/chainguard-images/reference/clang/provenance_info.md b/content/chainguard/chainguard-images/reference/clang/provenance_info.md index 5fec555799..799ad0f618 100644 --- a/content/chainguard/chainguard-images/reference/clang/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/clang/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for clang Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **clang** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/clang | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/clang | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the clang i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the clang image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the clang image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/clang + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/clang ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/clang/tags_history.md b/content/chainguard/chainguard-images/reference/clang/tags_history.md index 23779fde59..b9abc0ae3a 100644 --- a/content/chainguard/chainguard-images/reference/clang/tags_history.md +++ b/content/chainguard/chainguard-images/reference/clang/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the clang Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c576ffd44f415f1dafcac7b5c0cc1240432493c8b01001fb59c3472e6e28fb4f` | -| `latest-dev` | November 29th | `sha256:c7bc8a38dd264b08c51c5b3e64dba721a42a804bfc6f72e2f46a59f8915a3dc5` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:8787e17e789df184bd834da47693ed6366037c8852d1fe16acea3bfd6e323e38` | +| `latest` | December 6th | `sha256:abd7aca1f26e1cf338674215c34e7f838224bd375018a6499364087197decd07` | diff --git a/content/chainguard/chainguard-images/reference/cluster-autoscaler/provenance_info.md b/content/chainguard/chainguard-images/reference/cluster-autoscaler/provenance_info.md index bb733ba326..f6cec1e3d9 100644 --- a/content/chainguard/chainguard-images/reference/cluster-autoscaler/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cluster-autoscaler/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cluster-autoscaler Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cluster-autoscaler** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cluster-autoscaler | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cluster-autoscaler | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cluster | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cluster-autoscaler image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cluster-autoscaler image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cluster-autoscaler + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cluster-autoscaler ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cluster-autoscaler/tags_history.md b/content/chainguard/chainguard-images/reference/cluster-autoscaler/tags_history.md index 28a337f431..d384e87056 100644 --- a/content/chainguard/chainguard-images/reference/cluster-autoscaler/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cluster-autoscaler/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cluster-autoscaler Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:5a289d7aea05f0602ece4e6d9c12202b973b203d96e81965b5bcdd15adba3fe9` | -| `latest` | November 29th | `sha256:770bf7568e7e66ff7affb2adac930a2ec18effed98c282687c922c80046c25e8` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:8a38e21cc2b2bb18c5bc554af93d29bccfb023f78aaf6ab58ed4369ff79a0565` | +| `latest` | December 6th | `sha256:b7ecb880244ebcbc43a1941efada6b2f7d641f197cb84f027563df13ee888599` | diff --git a/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/provenance_info.md b/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/provenance_info.md index e8e7d72dfa..01ad995a92 100644 --- a/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cluster-proportional-autoscaler Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cluster-proportional-autoscaler** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cluster-proportional-autoscaler | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cluster-proportional-autoscaler | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cluster | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cluster-proportional-autoscaler image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cluster-proportional-autoscaler image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cluster-proportional-autoscaler + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cluster-proportional-autoscaler ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/tags_history.md b/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/tags_history.md index 9a6491046c..1aed6d577b 100644 --- a/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cluster-proportional-autoscaler/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cluster-proportional-autoscaler Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:7ca7aa93e4d30c5e6b8a3674ed6fa86a05b2b9bbfe72fd7edace6afe595ffeca` | -| `latest` | November 29th | `sha256:edd89d286595d6551ba638dd74a2248237353ead2479c7e22801ce3c65ea2e27` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:432993b0437531aa3022f5d6f2c9abf218c79e70a7515d9cf0a0a2b7fd030b93` | +| `latest-dev` | December 6th | `sha256:e77ec40a1f6e48fe93beb7fbfd643716de0837fbcc11cd3c4c169f1ce8921be1` | diff --git a/content/chainguard/chainguard-images/reference/conda/provenance_info.md b/content/chainguard/chainguard-images/reference/conda/provenance_info.md index 95f4afaa24..e9221c755a 100644 --- a/content/chainguard/chainguard-images/reference/conda/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/conda/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for conda Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **conda** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/conda | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/conda | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the conda i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the conda image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the conda image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/conda + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/conda ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/conda/tags_history.md b/content/chainguard/chainguard-images/reference/conda/tags_history.md index d78d1ca5ba..48f9caacb1 100644 --- a/content/chainguard/chainguard-images/reference/conda/tags_history.md +++ b/content/chainguard/chainguard-images/reference/conda/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the conda Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:09f2fca47c26ed441a670949249fd56c42b4a761d4baaa76f4e60a908d9ab49e` | -| `latest` | November 29th | `sha256:f2635777a07c083a5da2051a243e4993a413bbb734bf74a5e91a9662f96ca997` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:06cd70c552f52adb4a104c60a7b50680b82f7ac9bb64a2446db27bde3de599b6` | +| `latest-dev` | December 6th | `sha256:e25eac31101a03730b3c50bbc00a2b0495b30abd63b85539ba48ac0b9770f0d9` | diff --git a/content/chainguard/chainguard-images/reference/configmap-reload/provenance_info.md b/content/chainguard/chainguard-images/reference/configmap-reload/provenance_info.md index 4090a7b0c7..f9550d4178 100644 --- a/content/chainguard/chainguard-images/reference/configmap-reload/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/configmap-reload/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for configmap-reload Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **configmap-reload** Chainguard Images are signed using Sigstore, and you ca The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/configmap-reload | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/configmap-reload | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the configm | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the configmap-reload image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the configmap-reload image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/configmap-reload + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/configmap-reload ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/consul/provenance_info.md b/content/chainguard/chainguard-images/reference/consul/provenance_info.md index d305a50971..2d7bd27a61 100644 --- a/content/chainguard/chainguard-images/reference/consul/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/consul/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for consul Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **consul** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/consul | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/consul | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the consul | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the consul image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the consul image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/consul + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/consul ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/consul/tags_history.md b/content/chainguard/chainguard-images/reference/consul/tags_history.md index 51a8535442..08304759ec 100644 --- a/content/chainguard/chainguard-images/reference/consul/tags_history.md +++ b/content/chainguard/chainguard-images/reference/consul/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the consul Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:1ad0a1968d0e9f851470f14d36eb609c47106f6e56c4cc7ccf2c0262f5654c59` | -| `latest-dev` | November 29th | `sha256:c38f5b2a8639cc0a0d08637533d5271f2f9c285006f2ffaa701521e1b8a17bff` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f087675b117fa62d1e039f6dd1bdd6f51c43ee9de5da538641042a0d69643cdd` | +| `latest-dev` | December 6th | `sha256:2bc3e489b007e281ffe584a8afda460225a5004de29d9e750e90e9645a7ceb0c` | diff --git a/content/chainguard/chainguard-images/reference/coredns/provenance_info.md b/content/chainguard/chainguard-images/reference/coredns/provenance_info.md index cef6987548..52ed66866d 100644 --- a/content/chainguard/chainguard-images/reference/coredns/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/coredns/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for coredns Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **coredns** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/coredns | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/coredns | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the coredns | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the coredns image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the coredns image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/coredns + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/coredns ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/coredns/tags_history.md b/content/chainguard/chainguard-images/reference/coredns/tags_history.md index e159b54f93..4a7c411b68 100644 --- a/content/chainguard/chainguard-images/reference/coredns/tags_history.md +++ b/content/chainguard/chainguard-images/reference/coredns/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the coredns Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:69e65b08fc22d2d9a28ab603c7fd5b2f7cd94bbf9c043ae377c3b151b1da7fc5` | -| `latest-dev` | November 29th | `sha256:cc5b1b2639d5ecaeb142d4f7476a943d2b1d0ac3468541ddf3feef1cdc28bd36` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:af8d9dc73600a6195893caeb79577ca202ebf240166ea473768c68369bdfbfc5` | +| `latest-dev` | December 6th | `sha256:5f23f5670e51d102cce03bac57e9c823cdc7853f82f4ac272433c21460730271` | diff --git a/content/chainguard/chainguard-images/reference/cosign/provenance_info.md b/content/chainguard/chainguard-images/reference/cosign/provenance_info.md index ded67cab2e..e99b41cefe 100644 --- a/content/chainguard/chainguard-images/reference/cosign/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/cosign/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for cosign Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **cosign** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cosign | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cosign | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the cosign | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cosign image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the cosign image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/cosign + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/cosign ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/cosign/tags_history.md b/content/chainguard/chainguard-images/reference/cosign/tags_history.md index 766a7333f8..7c80e7be62 100644 --- a/content/chainguard/chainguard-images/reference/cosign/tags_history.md +++ b/content/chainguard/chainguard-images/reference/cosign/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the cosign Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:cdc90a4dad81a16a9d044e27fb1165b6aa890179e8a7c94b96733e7fe8023181` | -| `latest` | November 29th | `sha256:2f6d1b0f3ba5b7158b00380eb5c5d9a0a7db73d795a0862fe98378a49beace4e` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:9d99db8347ccd457eed4933b8b2c419cad86bad8ec3906d506419c89827eec00` | +| `latest-dev` | December 6th | `sha256:899538f792693d2e19cec05504af76db3034de718e7c14e05535926a70fe8bba` | diff --git a/content/chainguard/chainguard-images/reference/crane/provenance_info.md b/content/chainguard/chainguard-images/reference/crane/provenance_info.md index 846f4423c5..a7c4c83b22 100644 --- a/content/chainguard/chainguard-images/reference/crane/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crane/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crane Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crane** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crane | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crane | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crane i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crane image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crane image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crane + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crane ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crane/tags_history.md b/content/chainguard/chainguard-images/reference/crane/tags_history.md index fbbe82ada5..499da3a923 100644 --- a/content/chainguard/chainguard-images/reference/crane/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crane/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crane Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:84f8e70ef0595b636e77740328da6831493b414c8275811377e8671a11508f41` | -| `latest` | November 29th | `sha256:a66db2a6b1ba1994c01aeab5fa86cc7e6cdd99e55db06ae101db1e12f0f8f13e` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:ca3022adf742c1ce2a9f793e6bbfb72a6be5892c9e4520f9e9077d635711b65a` | +| `latest` | December 6th | `sha256:fcbe8c292c431ab57b0549cf54b6596d7ffd89902f4522f02732577ecadc9e36` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/provenance_info.md index 148a962c5e..9af29bdeb7 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-cloudfront Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-cloudfront** Chainguard Images are signed using Sigstore, a The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-cloudfront | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-cloudfront | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-cloudfront image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-cloudfront image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-cloudfront + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-cloudfront ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/tags_history.md index 65440c6c31..b14325b6c5 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudfront/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-cloudfront Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:941ad3bec38ddb8db64301ed4b74d9f848a1c67b9ec629278338a68a1d78d576` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:893433d273cf93f41d8653dbc205a5bdc946e28b40ae1f544a5b3ce682c3b55b` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/provenance_info.md index 4e9574b72f..0f539f4be7 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-cloudwatchlogs Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-cloudwatchlogs** Chainguard Images are signed using Sigstor The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-cloudwatchlogs | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-cloudwatchlogs | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-cloudwatchlogs image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-cloudwatchlogs image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-cloudwatchlogs + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-cloudwatchlogs ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/tags_history.md index 639918241e..d62c256bef 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-cloudwatchlogs/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-cloudwatchlogs Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d8cd6c837bf4f728d10ae5ba38270fbf50f4551f517d1aa15e9e958d2e09c128` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:63d4fabcbe8e90dd1f2de915cb20eedc9113459d94e79e0dac7ed01fdf99c556` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/provenance_info.md index eeb2ea8ade..ba811194cc 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-dynamodb Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-dynamodb** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-dynamodb | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-dynamodb | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-dynamodb image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-dynamodb image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-dynamodb + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-dynamodb ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/tags_history.md index a3fe316a41..4e58a6376a 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-dynamodb/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-dynamodb Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:bf08438a782be2e1f728a1c921e493a52272995970f6660b03bf7197ac84075d` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:98e7597e0f2916cc9c373621f383c1f5b45ae60d0442a63fe48046c0bc9a3e3e` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/provenance_info.md index 7bb972e56d..0010790525 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-ec2 Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-ec2** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-ec2 | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-ec2 | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-ec2 image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-ec2 image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-ec2 + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-ec2 ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/tags_history.md index 4fca14e11d..1908003ddb 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-ec2/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-ec2 Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:a0dff9f1e0aad487609eb5cd6fa1fa56d45f96aef615627702e5e7d0f24b1cb5` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:58331b2ab58264f08ffef8b2d436415b04e59b806d9829141ac1277db4ec529c` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-eks/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-eks/provenance_info.md index ed4a672868..3e35e301b9 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-eks/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-eks/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-eks Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-eks** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-eks | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-eks | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-eks image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-eks image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-eks + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-eks ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-eks/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-eks/tags_history.md index b25818ee6b..98dd6493a5 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-eks/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-eks/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-eks Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:34be637ee183eeff116347294cf1a5c3beeb14ffccfd3e1fc268457262dbaf79` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f4d8ea97a092029ec4c9ea0c53c750be838a06116f962b37e71a2acc5a44ac27` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/provenance_info.md index b9b50e7ea4..169254004f 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-firehose Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-firehose** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-firehose | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-firehose | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-firehose image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-firehose image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-firehose + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-firehose ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/tags_history.md index 42ab7a21e5..4d83f97749 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-firehose/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-firehose Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d8d6d5e8ebc26920b505758fd3eebe32fa4eff022360543cef0311551e31a1e0` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:3c7d417598355ea662542bc5dda6240c5fd564c223405b7d9dab1435a1b9f9cc` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-iam/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-iam/provenance_info.md index 7f1f03781b..b7cc3961cb 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-iam/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-iam/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-iam Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-iam** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-iam | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-iam | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-iam image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-iam image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-iam + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-iam ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-iam/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-iam/tags_history.md index fba2fe5e56..8ca0c50369 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-iam/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-iam/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-iam Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:736046a21aaa4a9b943b7a9c71c1a7b2bc4bbc2f28fa6441043e5e9151382aa6` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c93d6b44a026faf5692fd7d429a09ccb9936a61365fbb3b79c1592e5aa7b95c9` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-kms/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-kms/provenance_info.md index dd70cbf25a..d2dd73f394 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-kms/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-kms/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-kms Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-kms** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-kms | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-kms | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-kms image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-kms image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-kms + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-kms ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-kms/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-kms/tags_history.md index 19cd32cd61..3b8e7c9cc8 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-kms/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-kms/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-kms Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:a2c6f47878bc1e99a9a7107e582d47b050908ccce1a54ddac12a81ddb6a022f0` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:31887d29498f646bf0578530138d4b72aee3585a0e4a15cdbf0e050520525d71` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/provenance_info.md index ef451532f1..e484bc854f 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-lambda Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-lambda** Chainguard Images are signed using Sigstore, and y The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-lambda | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-lambda | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-lambda image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-lambda image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-lambda + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-lambda ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/tags_history.md index a6a915f5fa..72a91b9e77 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-lambda/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-lambda Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:7dc9c951da03b646b6104b0c1e2e74ad8bc5c7b487e02ac0af9616f6519fc9a5` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:e60c444a8567b45e1ed6c02fe4cd8cde4a4037f88c11c4c78fb711db29fc3e26` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-rds/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-rds/provenance_info.md index 792e6a3663..a33f6445fc 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-rds/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-rds/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-rds Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-rds** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-rds | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-rds | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-rds image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-rds image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-rds + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-rds ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-rds/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-rds/tags_history.md index 09998527c9..639345aae5 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-rds/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-rds/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-rds Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:b2609367a27d3788f7146eb9777fe060ab972bf98b2a55c69fe2dac6705aa2e3` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:27f20912e35194aae59786e26dd708f9b12f6fe1293c480f4772ca54f56f1ffb` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-s3/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-s3/provenance_info.md index b952ac9865..e032de64bf 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-s3/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-s3/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-s3 Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-s3** Chainguard Images are signed using Sigstore, and you c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-s3 | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-s3 | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-s3 image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-s3 image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-s3 + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-s3 ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-s3/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-s3/tags_history.md index 77e727ef41..533e6db1de 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-s3/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-s3/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-s3 Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:9af972e4af46e36dd2945ebd87042414555b700edd354a4a9840ffb649f8071e` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:3014efa1d3a0e3135179c373ce2facc98e10f642ba6a0b5b45605d0b4270d932` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-sns/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-sns/provenance_info.md index 50e317752b..2d8b68e026 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-sns/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-sns/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-sns Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-sns** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-sns | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-sns | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-sns image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-sns image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-sns + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-sns ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-sns/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-sns/tags_history.md index 9bf90a3e3d..6292c0b343 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-sns/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-sns/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-sns Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:839088ee1997689dba8fe371d4bf277a9d9280e9f054b656f72b3044d8a0e392` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:3a8afea43d50995e96771352d462c6e92fcd860ae4104b261153e9b26fb03737` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/provenance_info.md index 0c821a9793..e6aef57467 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws-sqs Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws-sqs** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws-sqs | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-sqs | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-sqs image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws-sqs image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws-sqs + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws-sqs ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/tags_history.md index 1a26daaa07..bc9262a40c 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws-sqs/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws-sqs Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:e8040d7bdecaab02e8afd505c4c18c84ef84f2537b0d5f1cb9e3cb6e5c12d54a` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:90850c31c3d0a09eed274dfe21d824276eaf9dc88f0a45ee2b73ba1ac291f500` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-aws/provenance_info.md index 9f13ee5b83..158d5d5183 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-aws Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-aws** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-aws | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-aws image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-aws + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-aws ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-aws/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-aws/tags_history.md index 2057b288a2..53a3f3740a 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-aws/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-aws/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-aws Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3cacebd33dfee5c275c057bea57408ea37e5a4ca9c148b28a8653ba1ed0f3888` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:b690f331ad6fcf223fa09b8fc5de72acd254c8c7d73334247dad6902486b1cec` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/provenance_info.md index 5c5b4de967..e71341bee5 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-azure-authorization Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-azure-authorization** Chainguard Images are signed using Sigsto The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-azure-authorization | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure-authorization | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-authorization image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-authorization image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-azure-authorization + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure-authorization ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/tags_history.md index 7fbecc0e2a..3a550c4a67 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-authorization/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-azure-authorization Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:4be16b9e052df1f7d832dd70bc003d69e5ecbd4e41375eda762c81eaf24c0b5c` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:82bae16b2dab52e6a05011e50df3e26bb706cef1d8f00ed95849cee66983d162` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/provenance_info.md index 82ee83dd28..65c1683513 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-azure-managedidentity Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-azure-managedidentity** Chainguard Images are signed using Sigs The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-azure-managedidentity | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure-managedidentity | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-managedidentity image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-managedidentity image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-azure-managedidentity + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure-managedidentity ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/tags_history.md index 05030c6456..e9074fcebb 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-managedidentity/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-azure-managedidentity Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:e1e73d80744d53aeed80639d8283999b34ebca2c15f7b660e1eaf1d2eb9bca56` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:9e9c4dd723cbc7b1a2c071bc1bc71b2c9758083408d4d146b447e88f0b14def1` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-sql/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure-sql/provenance_info.md index c4fff97c35..1f4a5d63df 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-sql/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-sql/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-azure-sql Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-azure-sql** Chainguard Images are signed using Sigstore, and yo The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-azure-sql | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure-sql | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-sql image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-sql image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-azure-sql + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure-sql ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-sql/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-azure-sql/tags_history.md index 2247413b8a..e44c049a15 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-sql/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-sql/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-azure-sql Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:83d47b72c9d15bd4fec70b3abb5669f47b500f15c70184644316ef41d05572e6` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:38f016940d63d76d402125d9b420f1f720912b778cf6a5e484be08ce9fc2bdc1` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-storage/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure-storage/provenance_info.md index 0e6138d211..9f6e3b9c39 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-storage/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-storage/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-azure-storage Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-azure-storage** Chainguard Images are signed using Sigstore, an The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-azure-storage | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure-storage | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-storage image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure-storage image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-azure-storage + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure-storage ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure-storage/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-azure-storage/tags_history.md index af89fa283d..b9cbc85d6f 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure-storage/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure-storage/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-azure-storage Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:4d2bd779ef9e4c01d61357df6fa81865dbaaad9e4ca2f1317cd8b4fa705d8c3b` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:66c6989ee9ea671f252db68570cae9b6924ad1fabffd3b5555c9b1c48262c440` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-azure/provenance_info.md index 6ffaec06d2..ba6bea2f19 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-azure Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-azure** Chainguard Images are signed using Sigstore, and you ca The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-azure | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-azure image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-azure + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-azure ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-azure/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-azure/tags_history.md index 0fdc3db247..d2832222b7 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-azure/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-azure/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-azure Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:7f8c0a4b3b745926ab0eb091314425e57a6b20f2073cbcfbe2a5a120325db17e` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:dc0a24d1d79046adf17e7602049392e2d10708e0348263eb6799619147ca976c` | diff --git a/content/chainguard/chainguard-images/reference/crossplane-xfn/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane-xfn/provenance_info.md index ac4c378ab1..3644f4b234 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-xfn/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane-xfn/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane-xfn Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane-xfn** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane-xfn | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-xfn | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-xfn image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane-xfn image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane-xfn + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane-xfn ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/crossplane-xfn/tags_history.md b/content/chainguard/chainguard-images/reference/crossplane-xfn/tags_history.md index 57754d1902..aea94c2e89 100644 --- a/content/chainguard/chainguard-images/reference/crossplane-xfn/tags_history.md +++ b/content/chainguard/chainguard-images/reference/crossplane-xfn/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the crossplane-xfn Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:676b6eac92b64cccb8ee0658283d8188ed58b4fafe8f5ed31087681b00cea6ae` | -| `latest` | November 29th | `sha256:f262690a5e5fa1b1d52eb4b83866495f302ad020306e2a97aeb55c85aa78aae4` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 3rd | `sha256:5547fd62b7714859a1e588b7d764a9358befbfb9aeb6f8b0e1fe9955e2608682` | +| `latest` | December 3rd | `sha256:1c713dac69a0e1b40026dfceb550b96b92a988fa5b5ac3774e3b4b06a994ff08` | diff --git a/content/chainguard/chainguard-images/reference/crossplane/provenance_info.md b/content/chainguard/chainguard-images/reference/crossplane/provenance_info.md index b63bd38764..41c1cc76cc 100644 --- a/content/chainguard/chainguard-images/reference/crossplane/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/crossplane/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for crossplane Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **crossplane** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/crossplane | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the crosspl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the crossplane image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/crossplane + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/crossplane ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/provenance_info.md b/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/provenance_info.md index d38725fd24..bcc83736bb 100644 --- a/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for ctlog-trillian-ctserver Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **ctlog-trillian-ctserver** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/ctlog-trillian-ctserver | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ctlog-trillian-ctserver | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the ctlog-t | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ctlog-trillian-ctserver image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ctlog-trillian-ctserver image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/ctlog-trillian-ctserver + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ctlog-trillian-ctserver ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/tags_history.md b/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/tags_history.md index 17b2872e49..be9010f099 100644 --- a/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ctlog-trillian-ctserver/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the ctlog-trillian-ctserver Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:82c8601deeb01c1ba0e6b6419c6b09f4fc209ac0716d9c832df2c56093be4aae` | -| `latest` | November 29th | `sha256:0f4e69ff896520ac5f8db65a2435435a8e9cdf85d2d0e075e45dea996b5a0951` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:6c0bbcabff3e4c63c64305912165d7fe5214bb57e871b8fd450417070c29232a` | +| `latest` | December 6th | `sha256:305075fa8e78e14e72872e4813dfc2e5cbd49dad7a00e7cefa3ef57849f20682` | diff --git a/content/chainguard/chainguard-images/reference/curl/provenance_info.md b/content/chainguard/chainguard-images/reference/curl/provenance_info.md index 879ce1d9d5..8af7701707 100644 --- a/content/chainguard/chainguard-images/reference/curl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/curl/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for curl Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **curl** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/curl | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/curl | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the curl im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the curl image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the curl image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/curl + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/curl ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/curl/tags_history.md b/content/chainguard/chainguard-images/reference/curl/tags_history.md index 872d18129e..48207c35ad 100644 --- a/content/chainguard/chainguard-images/reference/curl/tags_history.md +++ b/content/chainguard/chainguard-images/reference/curl/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the curl Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:1cd0909c616d9e357bdcef45f50e95fd1ae04ccae566833ab8dfeeab46f874f9` | -| `latest` | November 29th | `sha256:aad7b9f9b50615dcc2db5be4e7b01fed960053e593652ed1c3660d2bd551e0f3` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:062c30ca51e31430cf3817c6f3068fa045131f81bda1594eb7d92cbd7da1f967` | +| `latest-dev` | December 6th | `sha256:4da8ae1a45cdc42502b984dab8c233123a69e2f71c5dad13590e73a86a3a55c6` | diff --git a/content/chainguard/chainguard-images/reference/dask-gateway-server/provenance_info.md b/content/chainguard/chainguard-images/reference/dask-gateway-server/provenance_info.md index d7a0d141a8..42c9a43d44 100644 --- a/content/chainguard/chainguard-images/reference/dask-gateway-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dask-gateway-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for dask-gateway-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **dask-gateway-server** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/dask-gateway-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dask-gateway-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the dask-ga | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dask-gateway-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dask-gateway-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/dask-gateway-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dask-gateway-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/dask-gateway-server/tags_history.md b/content/chainguard/chainguard-images/reference/dask-gateway-server/tags_history.md index bc4b3264d6..cc7cd5fbd1 100644 --- a/content/chainguard/chainguard-images/reference/dask-gateway-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/dask-gateway-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the dask-gateway-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:55b3c8d1258f55ee507d1769222d3e239c447331b6a0fce9ba100211e1797a3a` | -| `latest` | November 29th | `sha256:e39e40de704b389328e8f011a3cfa56bc29d3c6f36187ee24d0dc27827c10a79` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:767f72d8c6d092cc82ebd0d86404b7e24db8273a70cf18c057b2e3e8870a84fc` | +| `latest-dev` | December 6th | `sha256:23bf5e88a439568f73f365d037d35026976a2d7d18e9a76e7c83f98d01f8b02c` | diff --git a/content/chainguard/chainguard-images/reference/dask-gateway/provenance_info.md b/content/chainguard/chainguard-images/reference/dask-gateway/provenance_info.md index e70400dfd9..206317de05 100644 --- a/content/chainguard/chainguard-images/reference/dask-gateway/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dask-gateway/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for dask-gateway Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **dask-gateway** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/dask-gateway | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dask-gateway | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the dask-ga | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dask-gateway image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dask-gateway image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/dask-gateway + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dask-gateway ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/dask-gateway/tags_history.md b/content/chainguard/chainguard-images/reference/dask-gateway/tags_history.md index 8a55969eb7..f821e68812 100644 --- a/content/chainguard/chainguard-images/reference/dask-gateway/tags_history.md +++ b/content/chainguard/chainguard-images/reference/dask-gateway/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the dask-gateway Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:307ccf0fd858d860bdbf80d22917f46438c8dd28f99999b83031808f224287eb` | -| `latest-dev` | November 29th | `sha256:be2e215fbc4ed5ec2218aceb92968f454fe3482b880eaacc00b84456ffa127f2` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:dfd59836887ed497236b57e53b594e8c28a29c3df3032897087a1a9aeb67bbdd` | +| `latest-dev` | December 6th | `sha256:d508a464c799af646be4002c326394d3c016f07a83add5b406b6cdbbf754b7ea` | diff --git a/content/chainguard/chainguard-images/reference/deno/provenance_info.md b/content/chainguard/chainguard-images/reference/deno/provenance_info.md index 6f156860d6..3de1fe5463 100644 --- a/content/chainguard/chainguard-images/reference/deno/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/deno/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for deno Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **deno** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/deno | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/deno | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the deno im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the deno image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the deno image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/deno + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/deno ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/deno/tags_history.md b/content/chainguard/chainguard-images/reference/deno/tags_history.md index a1e33405b8..41043f1ee4 100644 --- a/content/chainguard/chainguard-images/reference/deno/tags_history.md +++ b/content/chainguard/chainguard-images/reference/deno/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the deno Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2ad72ba95a4dcb0881258f233879eb7a52bcb441411c6cc99c7d9ab0830a8c92` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c27d3f75a3405603d1ac68500b470d3b21875035123a05a172a346ed1bf5e4a5` | diff --git a/content/chainguard/chainguard-images/reference/dependency-track/provenance_info.md b/content/chainguard/chainguard-images/reference/dependency-track/provenance_info.md index 6be022feef..681d36b782 100644 --- a/content/chainguard/chainguard-images/reference/dependency-track/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dependency-track/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for dependency-track Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **dependency-track** Chainguard Images are signed using Sigstore, and you ca The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/dependency-track | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dependency-track | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the depende | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dependency-track image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dependency-track image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/dependency-track + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dependency-track ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/dex/provenance_info.md b/content/chainguard/chainguard-images/reference/dex/provenance_info.md index 634359ece1..a42f0dfe73 100644 --- a/content/chainguard/chainguard-images/reference/dex/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dex/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for dex Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **dex** Chainguard Images are signed using Sigstore, and you can check the i The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/dex | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dex | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the dex ima | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dex image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dex image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/dex + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dex ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/dex/tags_history.md b/content/chainguard/chainguard-images/reference/dex/tags_history.md index b731065c36..9dfc57a126 100644 --- a/content/chainguard/chainguard-images/reference/dex/tags_history.md +++ b/content/chainguard/chainguard-images/reference/dex/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the dex Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,10 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------------------------------------------------------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:3635db8a6891ed0db5059fccc147201bd234acb2dff3b546ca53a1c161f26dde` | -| `latest` | November 29th | `sha256:4865c7d4d861d16cc28d9bdc49aa9f9f4d1a2d9eb0a0697c25e037a57a6d2a6f` | -| `v2.37.0-dev` `2-dev` `2.37-dev` `2.37.0-dev` `v2.37-dev` `v2-dev` | November 3rd | `sha256:a26d010dbcba8d421b8d87336c9d9cafc9d35a8e60ff9097f1b065aba8e761fd` | -| `2.37.0` `v2.37.0` `2` `v2` `v2.37` `2.37` | October 30th | `sha256:66c186956513b3fe3fa72ed717148c3c0a71eb346a34567e5329e33a3384b315` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:98a971d8c39465003c1eaa140ccb39b0859076821fb7241e3558566ee5e8aca2` | +| `latest-dev` | December 6th | `sha256:6c2fb34760fa32c2147cf2a5ba8e4effd6a55e620192e9ed04f393da010365ed` | diff --git a/content/chainguard/chainguard-images/reference/dive/provenance_info.md b/content/chainguard/chainguard-images/reference/dive/provenance_info.md index 91e832bc5e..c444b661e2 100644 --- a/content/chainguard/chainguard-images/reference/dive/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dive/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for dive Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **dive** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/dive | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dive | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the dive im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dive image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dive image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/dive + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dive ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/dive/tags_history.md b/content/chainguard/chainguard-images/reference/dive/tags_history.md index 13d4d2207c..9747bc21ba 100644 --- a/content/chainguard/chainguard-images/reference/dive/tags_history.md +++ b/content/chainguard/chainguard-images/reference/dive/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the dive Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -25,5 +25,5 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |-----------|--------------|---------------------------------------------------------------------------| -| `latest` | October 30th | `sha256:5e32b721bc9f05b77a080c536a064152f2eb97d5d84bbcfbf92d344d234a7f42` | +| `latest` | December 6th | `sha256:27117676366c5b885fbff715204c6c01de5b0e006053a8e4724d10a4b831ead3` | diff --git a/content/chainguard/chainguard-images/reference/dotnet-runtime/provenance_info.md b/content/chainguard/chainguard-images/reference/dotnet-runtime/provenance_info.md index 1045edb18b..1bffc0e7c5 100644 --- a/content/chainguard/chainguard-images/reference/dotnet-runtime/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dotnet-runtime/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for dotnet-runtime Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **dotnet-runtime** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/dotnet-runtime | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dotnet-runtime | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the dotnet- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dotnet-runtime image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dotnet-runtime image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/dotnet-runtime + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dotnet-runtime ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/dotnet-runtime/tags_history.md b/content/chainguard/chainguard-images/reference/dotnet-runtime/tags_history.md index 7c5e628b15..1c7b1787ee 100644 --- a/content/chainguard/chainguard-images/reference/dotnet-runtime/tags_history.md +++ b/content/chainguard/chainguard-images/reference/dotnet-runtime/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the dotnet-runtime Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:a4426c1b41f8dc0b4d9884bc650761cf20243bfb1475e5874088e7640eab19c1` | -| `latest` | November 29th | `sha256:6de2fbe8c73c5ef9751bae79d38182076f2cf50c63da1f5129c9dc74b668b4db` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:456eeeec33392239a47c1a79c2f3a9d7258f5af4ccd3210ecbcc93f908c27b97` | +| `latest` | December 6th | `sha256:5741ebc10b5cd6b233cbd5bfad8f6115f4b23bf53f56faef4357d21ca6cac9a1` | diff --git a/content/chainguard/chainguard-images/reference/dotnet-sdk/provenance_info.md b/content/chainguard/chainguard-images/reference/dotnet-sdk/provenance_info.md index f504191ccf..4e7ad89bec 100644 --- a/content/chainguard/chainguard-images/reference/dotnet-sdk/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dotnet-sdk/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for dotnet-sdk Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **dotnet-sdk** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/dotnet-sdk | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dotnet-sdk | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the dotnet- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dotnet-sdk image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dotnet-sdk image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/dotnet-sdk + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dotnet-sdk ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/dotnet-sdk/tags_history.md b/content/chainguard/chainguard-images/reference/dotnet-sdk/tags_history.md index a28696f850..a57ccfa522 100644 --- a/content/chainguard/chainguard-images/reference/dotnet-sdk/tags_history.md +++ b/content/chainguard/chainguard-images/reference/dotnet-sdk/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the dotnet-sdk Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:f65ed6eb3a4d0ad270da17b581dd85b3d3b46149a349337afb70dc0ecb25ea24` | -| `latest` | November 29th | `sha256:c3575228548e55bf296d7a8b471c3bd02af7d7d9960eb4844be548a3c967a8f9` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:3e75983b91fae7aa75b729565df7c1b9ee771a7c05287900e79150c6f9b678c1` | +| `latest` | December 6th | `sha256:3243dc202d759563233f474d750fefedbdbba23ab848b922e1024cf75cfa9591` | diff --git a/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/provenance_info.md b/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/provenance_info.md index 6636d20613..569d22b723 100644 --- a/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for dynamic-localpv-provisioner Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **dynamic-localpv-provisioner** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/dynamic-localpv-provisioner | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dynamic-localpv-provisioner | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the dynamic | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dynamic-localpv-provisioner image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the dynamic-localpv-provisioner image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/dynamic-localpv-provisioner + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/dynamic-localpv-provisioner ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/tags_history.md b/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/tags_history.md index f40d6c3e43..3654ee2e70 100644 --- a/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/tags_history.md +++ b/content/chainguard/chainguard-images/reference/dynamic-localpv-provisioner/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the dynamic-localpv-provisioner Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:e69b80f4e10e0f90f5e57bbbc4a3a559010cbdbc9a40bfb858a01ded12aaf2f4` | -| `latest` | November 29th | `sha256:a1d208d95a6971085bf0bc2faa439f328a7518c787a8d54348790c344ab92694` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:b10cd3b05bca89fa525c8ce1c52fb0d97b3577324571dc46c0cd1b917f2a30e6` | +| `latest-dev` | December 6th | `sha256:c8107636643c5a3f4590cd3671bb5c65e32a6151018f2b3a930c0f1c9504efa6` | diff --git a/content/chainguard/chainguard-images/reference/envoy-ratelimit/provenance_info.md b/content/chainguard/chainguard-images/reference/envoy-ratelimit/provenance_info.md index 8b231c27d7..a1f54f242b 100644 --- a/content/chainguard/chainguard-images/reference/envoy-ratelimit/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/envoy-ratelimit/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for envoy-ratelimit Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **envoy-ratelimit** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/envoy-ratelimit | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/envoy-ratelimit | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the envoy-r | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the envoy-ratelimit image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the envoy-ratelimit image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/envoy-ratelimit + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/envoy-ratelimit ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/envoy-ratelimit/tags_history.md b/content/chainguard/chainguard-images/reference/envoy-ratelimit/tags_history.md index 04bbd283cf..1bf2dc71c4 100644 --- a/content/chainguard/chainguard-images/reference/envoy-ratelimit/tags_history.md +++ b/content/chainguard/chainguard-images/reference/envoy-ratelimit/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the envoy-ratelimit Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:bb80230dceb5eac5b647d72c44e5a1dc6131a76466b375602cfafc2f32b1c88a` | -| `latest` | November 29th | `sha256:043be941516ab97689e78b9bc93bb45b8d59d1114155b6d567320a0c071d2872` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:a090447953fde6f4e6d2fbb4a3675ce49b31b76e652521d77a8a76896bc04004` | +| `latest-dev` | December 6th | `sha256:42b20d59031574063d233fdaf333978d3a67d4949518b8b9bc65b725044cf29c` | diff --git a/content/chainguard/chainguard-images/reference/envoy/provenance_info.md b/content/chainguard/chainguard-images/reference/envoy/provenance_info.md index f50bbc8d2a..2afc386d81 100644 --- a/content/chainguard/chainguard-images/reference/envoy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/envoy/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for envoy Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **envoy** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/envoy | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/envoy | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the envoy i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the envoy image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the envoy image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/envoy + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/envoy ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/envoy/tags_history.md b/content/chainguard/chainguard-images/reference/envoy/tags_history.md index 11aad181f0..b85f87b50c 100644 --- a/content/chainguard/chainguard-images/reference/envoy/tags_history.md +++ b/content/chainguard/chainguard-images/reference/envoy/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the envoy Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c2a928abafa916a2668dd25761d2ce67486674dd8406e7e574eb58d982fead0c` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:378d72c7864bae4becad0298f34914fe01e066731f3e7217eff7550ea775eaf0` | diff --git a/content/chainguard/chainguard-images/reference/erlang/_index.md b/content/chainguard/chainguard-images/reference/erlang/_index.md new file mode 100644 index 0000000000..c4e41c5003 --- /dev/null +++ b/content/chainguard/chainguard-images/reference/erlang/_index.md @@ -0,0 +1,62 @@ +--- +title: "Image Overview: erlang" +linktitle: "erlang" +type: "article" +layout: "single" +description: "Overview: erlang Chainguard Image" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +menu: + docs: + parent: "images-reference" +weight: 500 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=true url="/chainguard/chainguard-images/reference/erlang/" >}} +{{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/erlang/image_specs/" >}} +{{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/erlang/tags_history/" >}} +{{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/erlang/provenance_info/" >}} +{{}} + + + +Container image for building Erlang applications. + +## Get It! + +The image is available on `cgr.dev`: + +``` +docker pull cgr.dev/chainguard/erlang:latest +``` + +## Usage + +The image can be used to run the `erl` tool, or to compile and run Erlang scripts. + +For example, a simple Hello World script in Erlang, `hello.erl`: + +``` +-module(hello). +-export([hello_world/0]). + +hello_world() -> io:fwrite("hello, world\n"). +``` + +can be compiled in Docker with: + +``` +FROM cgr.dev/chainguard/erlang +COPY . . +RUN erlc hello-world.erl +ENTRYPOINT [ "erl" ] +CMD [ "-noshell", "-eval", "hello:hello_world().", "-s", "init", "stop" ] +``` + +Running this image should output `hello, world`. + diff --git a/content/chainguard/chainguard-images/reference/erlang/image_specs.md b/content/chainguard/chainguard-images/reference/erlang/image_specs.md new file mode 100644 index 0000000000..1f53c631e0 --- /dev/null +++ b/content/chainguard/chainguard-images/reference/erlang/image_specs.md @@ -0,0 +1,73 @@ +--- +title: "erlang Image Variants" +type: "article" +unlisted: true +description: "Detailed information about the public erlang Chainguard Image variants" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +weight: 550 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/erlang/" >}} +{{< tab title="Variants" active=true url="/chainguard/chainguard-images/reference/erlang/image_specs/" >}} +{{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/erlang/tags_history/" >}} +{{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/erlang/provenance_info/" >}} +{{}} + +This page shows detailed information about all public variants of the Chainguard **erlang** Image. + +## Variants Compared +The **erlang** Chainguard Image currently has 2 public variants: + +- `latest-dev` +- `latest` + +The table has detailed information about each of these variants. + +| | latest-dev | latest | +|--------------|----------------|----------------| +| Default User | `root` | `root` | +| Entrypoint | `/usr/bin/erl` | `/usr/bin/erl` | +| CMD | not specified | not specified | +| Workdir | not specified | not specified | +| Has apk? | yes | no | +| Has a shell? | yes | yes | + +Check the [tags history page](/chainguard/chainguard-images/reference/erlang/tags_history/) for the full list of available tags. + +## Packages Included +The table shows package distribution across variants. + +| | latest-dev | latest | +|--------------------------|------------|--------| +| `apk-tools` | X | | +| `bash` | X | | +| `busybox` | X | X | +| `ca-certificates-bundle` | X | X | +| `erlang-26` | X | X | +| `git` | X | | +| `glibc` | X | X | +| `glibc-locale-posix` | X | X | +| `ld-linux` | X | X | +| `libbrotlicommon1` | X | | +| `libbrotlidec1` | X | | +| `libcrypt1` | X | X | +| `libcrypto3` | X | X | +| `libcurl-openssl4` | X | | +| `libexpat1` | X | | +| `libgcc` | X | X | +| `libnghttp2-14` | X | | +| `libpcre2-8-0` | X | | +| `libssl3` | X | | +| `libstdc++` | X | X | +| `ncurses` | X | X | +| `ncurses-terminfo-base` | X | X | +| `openssl-config` | X | X | +| `wolfi-baselayout` | X | X | +| `zlib` | X | X | + diff --git a/content/chainguard/chainguard-images/reference/erlang/provenance_info.md b/content/chainguard/chainguard-images/reference/erlang/provenance_info.md new file mode 100644 index 0000000000..dfb8e4f1a4 --- /dev/null +++ b/content/chainguard/chainguard-images/reference/erlang/provenance_info.md @@ -0,0 +1,88 @@ +--- +title: "Provenance Information for erlang Images" +type: "article" +unlisted: true +description: "Provenance information for erlang Chainguard Image" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +weight: 600 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/erlang/" >}} +{{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/erlang/image_specs/" >}} +{{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/erlang/tags_history/" >}} +{{< tab title="Provenance" active=true url="/chainguard/chainguard-images/reference/erlang/provenance_info/" >}} +{{}} + +All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. + +## Verifying erlang Image Signatures +The **erlang** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. + +The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. + +```shell +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/erlang | jq +``` + +By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. + +## Downloading erlang Image Attestations + +The following [attestations](https://slsa.dev/attestation-model) for the erlang image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the erlang image on `linux/amd64`: + +```shell +cosign download attestation \ + --platform=linux/amd64 \ + --predicate-type=https://spdx.dev/Document \ + cgr.dev/chainguard/erlang | jq -r .payload | base64 -d | jq .predicate +``` +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. + +## Verifying erlang Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the erlang image attestations: + +```shell +cosign verify-attestation \ + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/erlang +``` + +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: + +``` +Verification for cgr.dev/chainguard/erlang -- +The following checks were performed on each of these signatures: +- The cosign claims were validated +- Existence of the claims in the transparency log was verified offline +- The code-signing certificate was verified using trusted certificate authority certificates +Certificate subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main +Certificate issuer URL: https://token.actions.githubusercontent.com +GitHub Workflow Trigger: schedule +GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696 +GitHub Workflow Name: .github/workflows/release.yaml +GitHub Workflow Trigger chainguard-images/images +GitHub Workflow Ref: refs/heads/main +... +``` diff --git a/content/chainguard/chainguard-images/reference/erlang/tags_history.md b/content/chainguard/chainguard-images/reference/erlang/tags_history.md new file mode 100644 index 0000000000..aad1837a73 --- /dev/null +++ b/content/chainguard/chainguard-images/reference/erlang/tags_history.md @@ -0,0 +1,30 @@ +--- +title: "erlang Image Tags History" +type: "article" +unlisted: true +description: "Image Tags and History for the erlang Chainguard Image" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +weight: 700 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/erlang/" >}} +{{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/erlang/image_specs/" >}} +{{< tab title="Tags History" active=true url="/chainguard/chainguard-images/reference/erlang/tags_history/" >}} +{{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/erlang/provenance_info/" >}} +{{}} + +The following table contains the most recent tags and digests that can be used to pin your Dockerfile to a specific build of this image. Check our guide on [Using the Tag History API](/chainguard/chainguard-images/using-the-tag-history-api/) for information on how to fetch all tags from an image and how to pin your Dockerfile to a specific digest. + +Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). + +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:f5b3b401f850148f42d2a58c296e182106dd29efdbbc5af20e89f378683c2523` | +| `latest` | December 6th | `sha256:db4a296eb399f7472d019faab99190780e297b2c07855883f8315a5ee2042a9d` | + diff --git a/content/chainguard/chainguard-images/reference/etcd/provenance_info.md b/content/chainguard/chainguard-images/reference/etcd/provenance_info.md index a93596c767..f9000ad354 100644 --- a/content/chainguard/chainguard-images/reference/etcd/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/etcd/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for etcd Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **etcd** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/etcd | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/etcd | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the etcd im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the etcd image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the etcd image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/etcd + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/etcd ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/etcd/tags_history.md b/content/chainguard/chainguard-images/reference/etcd/tags_history.md index 3e7319e06f..91898aca8c 100644 --- a/content/chainguard/chainguard-images/reference/etcd/tags_history.md +++ b/content/chainguard/chainguard-images/reference/etcd/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the etcd Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:b18b53ec1808f395ed6155b5e685ca47419f9739269d900b5df9605d3f318b04` | -| `latest` | November 29th | `sha256:c144900d415385b63889b3d32d0fd90cc67e56a436cdefa739b4755273357b33` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:e0de9724f2def72a716b657728f2cee4a37bc9c4a22b464da84e5134a4c237a4` | +| `latest` | December 6th | `sha256:dccc14aa74a01999da5d7585875d09d679404828228fabcb5404b977c49b75d7` | diff --git a/content/chainguard/chainguard-images/reference/external-dns/provenance_info.md b/content/chainguard/chainguard-images/reference/external-dns/provenance_info.md index 40b4871548..5616871c3b 100644 --- a/content/chainguard/chainguard-images/reference/external-dns/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/external-dns/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for external-dns Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **external-dns** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/external-dns | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/external-dns | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the externa | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the external-dns image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the external-dns image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/external-dns + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/external-dns ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/external-dns/tags_history.md b/content/chainguard/chainguard-images/reference/external-dns/tags_history.md index 18e40815ee..b4c44359ed 100644 --- a/content/chainguard/chainguard-images/reference/external-dns/tags_history.md +++ b/content/chainguard/chainguard-images/reference/external-dns/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the external-dns Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:cfd4c64c85900216f6e3f53005eedfd5aef10cc4f31323b1ae0007c51b823d55` | -| `latest` | November 29th | `sha256:34dbfd88d40e9d644246cff0b9fc1ba599247de1916ed184f9a3dd0748543507` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:2fc196e4f33da0606b8ffa11b3e2180f261531272735b300e0c87b2f37d93cd0` | +| `latest` | December 6th | `sha256:4c32906312690b4cc52bdeb72aea71cafc043e03d5e5e88b94e91825c3def546` | diff --git a/content/chainguard/chainguard-images/reference/external-secrets/provenance_info.md b/content/chainguard/chainguard-images/reference/external-secrets/provenance_info.md index 5a81303ecb..c852babe90 100644 --- a/content/chainguard/chainguard-images/reference/external-secrets/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/external-secrets/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for external-secrets Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **external-secrets** Chainguard Images are signed using Sigstore, and you ca The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/external-secrets | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/external-secrets | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the externa | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the external-secrets image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the external-secrets image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/external-secrets + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/external-secrets ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/external-secrets/tags_history.md b/content/chainguard/chainguard-images/reference/external-secrets/tags_history.md index cb2c339891..bb6bffc2ad 100644 --- a/content/chainguard/chainguard-images/reference/external-secrets/tags_history.md +++ b/content/chainguard/chainguard-images/reference/external-secrets/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the external-secrets Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:f21c97478b97f60eb4eb902d2b28ebb554305d9ba9717da648a42d2344cddf4e` | -| `latest` | November 29th | `sha256:d6b13e1f8e186ed2ba27ada9fce6e2b87020605d1325938db13b6ab455ccb7ed` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:2e67e3e5f8758b0199bd0d626f081b30647c13a588ddbf6d10991a1f420c51be` | +| `latest-dev` | December 6th | `sha256:c8f1a8d182f7e6598e9cbfa85a36df041468306fc381fbecc35f1a1048e2228f` | diff --git a/content/chainguard/chainguard-images/reference/falcoctl/provenance_info.md b/content/chainguard/chainguard-images/reference/falcoctl/provenance_info.md index 78d37ca8a8..57959751b0 100644 --- a/content/chainguard/chainguard-images/reference/falcoctl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/falcoctl/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for falcoctl Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **falcoctl** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/falcoctl | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/falcoctl | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the falcoct | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the falcoctl image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the falcoctl image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/falcoctl + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/falcoctl ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/falcoctl/tags_history.md b/content/chainguard/chainguard-images/reference/falcoctl/tags_history.md index a3b1aacdef..d575f3fcf6 100644 --- a/content/chainguard/chainguard-images/reference/falcoctl/tags_history.md +++ b/content/chainguard/chainguard-images/reference/falcoctl/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the falcoctl Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:806274a78ef65bf0b386faf3a68df704323ae3fe943de1a44e13f738686d6eed` | -| `latest-dev` | November 29th | `sha256:fdbeb6791593764e50ec186cde4b305b5b5cf47a0022be6341005e7069810f39` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:32d01a37daf47e52803b7a26390f3cad0f3e8d5bb40a3e78c23ee4bde97e629d` | +| `latest` | December 6th | `sha256:5af6247db78c3004ab307094d9429091f5da6cfc9a86701933d55ff8bebcab17` | diff --git a/content/chainguard/chainguard-images/reference/ffmpeg/image_specs.md b/content/chainguard/chainguard-images/reference/ffmpeg/image_specs.md index ac8a90db98..fd37a7f6a7 100644 --- a/content/chainguard/chainguard-images/reference/ffmpeg/image_specs.md +++ b/content/chainguard/chainguard-images/reference/ffmpeg/image_specs.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Detailed information about the public ffmpeg Chainguard Image variants" date: 2023-03-07T11:07:52+02:00 -lastmod: 2023-03-07T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -22,43 +22,61 @@ toc: true This page shows detailed information about all public variants of the Chainguard **ffmpeg** Image. ## Variants Compared -The **ffmpeg** Chainguard Image currently has one public variant: +The **ffmpeg** Chainguard Image currently has 2 public variants: +- `latest-dev` - `latest` The table has detailed information about each of these variants. -| | latest | -|--------------|-------------------| -| Default User | `nonroot` | -| Entrypoint | `/usr/bin/ffmpeg` | -| CMD | `--help` | -| Workdir | not specified | -| Has apk? | no | -| Has a shell? | no | +| | latest-dev | latest | +|--------------|-------------------|-------------------| +| Default User | `nonroot` | `nonroot` | +| Entrypoint | `/usr/bin/ffmpeg` | `/usr/bin/ffmpeg` | +| CMD | `--help` | `--help` | +| Workdir | not specified | not specified | +| Has apk? | yes | no | +| Has a shell? | yes | no | Check the [tags history page](/chainguard/chainguard-images/reference/ffmpeg/tags_history/) for the full list of available tags. ## Packages Included The table shows package distribution across variants. -| | latest | -|--------------------------|--------| -| `aom-libs` | X | -| `ca-certificates-bundle` | X | -| `ffmpeg` | X | -| `glibc` | X | -| `glibc-locale-posix` | X | -| `ld-linux` | X | -| `libavcodec60` | X | -| `libavdevice60` | X | -| `libavfilter9` | X | -| `libavformat60` | X | -| `libavutil58` | X | -| `libogg` | X | -| `libswresample4` | X | -| `libswscale7` | X | -| `libtheora` | X | -| `wolfi-baselayout` | X | -| `x264` | X | +| | latest-dev | latest | +|--------------------------|------------|--------| +| `aom-libs` | X | X | +| `apk-tools` | X | | +| `bash` | X | | +| `busybox` | X | | +| `ca-certificates-bundle` | X | X | +| `ffmpeg` | X | X | +| `git` | X | | +| `glibc` | X | X | +| `glibc-locale-posix` | X | X | +| `ld-linux` | X | X | +| `libavcodec60` | X | X | +| `libavdevice60` | X | X | +| `libavfilter9` | X | X | +| `libavformat60` | X | X | +| `libavutil58` | X | X | +| `libbrotlicommon1` | X | | +| `libbrotlidec1` | X | | +| `libcrypt1` | X | | +| `libcrypto3` | X | | +| `libcurl-openssl4` | X | | +| `libexpat1` | X | | +| `libnghttp2-14` | X | | +| `libogg` | X | X | +| `libpcre2-8-0` | X | | +| `libssl3` | X | | +| `libswresample4` | X | X | +| `libswscale7` | X | X | +| `libtheora` | X | X | +| `ncurses` | X | | +| `ncurses-terminfo-base` | X | | +| `openssl-config` | X | | +| `wolfi-baselayout` | X | X | +| `x264` | X | X | +| `zlib` | X | | diff --git a/content/chainguard/chainguard-images/reference/ffmpeg/provenance_info.md b/content/chainguard/chainguard-images/reference/ffmpeg/provenance_info.md index 6ce5c14a40..6f957a0121 100644 --- a/content/chainguard/chainguard-images/reference/ffmpeg/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ffmpeg/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for ffmpeg Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **ffmpeg** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/ffmpeg | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ffmpeg | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the ffmpeg | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ffmpeg image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ffmpeg image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/ffmpeg + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ffmpeg ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/ffmpeg/tags_history.md b/content/chainguard/chainguard-images/reference/ffmpeg/tags_history.md index 65b38ddb4f..ecb305b6ce 100644 --- a/content/chainguard/chainguard-images/reference/ffmpeg/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ffmpeg/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the ffmpeg Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:a728d56227678cc0889ee9a1858975f1d35694631e3d70c9eb564d9059e760d9` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:7b8f1441d75392ab174f4de8bde47da7887d4558890e657563c541fff3d8eab6` | +| `latest-dev` | December 6th | `sha256:fec4f99324a44f5a865a35ffdd1d512b5eb4b7cb92af34331272c85b910b65bd` | diff --git a/content/chainguard/chainguard-images/reference/fluent-bit/provenance_info.md b/content/chainguard/chainguard-images/reference/fluent-bit/provenance_info.md index f65313df3c..d40dfff300 100644 --- a/content/chainguard/chainguard-images/reference/fluent-bit/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/fluent-bit/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for fluent-bit Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **fluent-bit** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/fluent-bit | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/fluent-bit | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the fluent- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the fluent-bit image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the fluent-bit image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/fluent-bit + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/fluent-bit ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/fluent-bit/tags_history.md b/content/chainguard/chainguard-images/reference/fluent-bit/tags_history.md index 6d37cc50e5..251c9eecce 100644 --- a/content/chainguard/chainguard-images/reference/fluent-bit/tags_history.md +++ b/content/chainguard/chainguard-images/reference/fluent-bit/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the fluent-bit Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:8e0a01f91546d1d201f418063c14d1ea87567281a519ce6ff6c8c3aaee1d659f` | -| `latest` | November 29th | `sha256:1142a17855c5562ca632ec2e86f13ed77feec4b1f21386d0718f436a541f7be0` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f40f66941249cc36fc5d7ca0f2ce012d18e2ad7888cbde61416846a7ae150eff` | +| `latest-dev` | December 6th | `sha256:157eaab2c62d199712a7e496c0301efb0caaf51723eb04b38510199cf5f28eea` | diff --git a/content/chainguard/chainguard-images/reference/fluentd/provenance_info.md b/content/chainguard/chainguard-images/reference/fluentd/provenance_info.md index 99582be70d..326266d138 100644 --- a/content/chainguard/chainguard-images/reference/fluentd/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/fluentd/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for fluentd Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **fluentd** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/fluentd | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/fluentd | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the fluentd | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the fluentd image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the fluentd image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/fluentd + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/fluentd ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/fluentd/tags_history.md b/content/chainguard/chainguard-images/reference/fluentd/tags_history.md index d4af653e16..b6c5af99fd 100644 --- a/content/chainguard/chainguard-images/reference/fluentd/tags_history.md +++ b/content/chainguard/chainguard-images/reference/fluentd/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the fluentd Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,10 +23,10 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|----------------------|---------------|---------------------------------------------------------------------------| -| `latest-splunk-dev` | November 29th | `sha256:2b5ee9127bf40318fded5a477b000326474670db82d519c31e0627da75e4fc03` | -| `latest-splunk` | November 29th | `sha256:13b1b5cd6090932a2738077c855f3a99802b2747bb2b06174af6dd7f57821729` | -| `latest` | November 29th | `sha256:41b3503196f14a0d152f848c9ea6336b907915787ae6913326d57b3eb08693a5` | -| `latest-dev` | November 29th | `sha256:eeabdac01afa93c676cf0ae5c96bba79801646c0fabd1e6f166e7c30c45e9ada` | +| Tag (s) | Last Changed | Digest | +|----------------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:48e53b7bd28188746bbea9b2801508d312ef8586cb6e0802b67d1c8710185182` | +| `latest` | December 6th | `sha256:cfc1a4968229c8f6eabd1a6eee8c0af43578af8f065cb0f9267171f145909220` | +| `latest-splunk` | December 6th | `sha256:a42811a29fb0a7164ff1fb9dcbbf4a325fed995091a7f55df96e685170f67aeb` | +| `latest-splunk-dev` | December 6th | `sha256:5c0cb048a784f5ada07945d3bed2e9978bfc74dd95d69bb28142f64e41f87a52` | diff --git a/content/chainguard/chainguard-images/reference/flux-helm-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-helm-controller/provenance_info.md index d2115c1c44..b23ab4045b 100644 --- a/content/chainguard/chainguard-images/reference/flux-helm-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-helm-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for flux-helm-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **flux-helm-controller** Chainguard Images are signed using Sigstore, and yo The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/flux-helm-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-helm-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the flux-he | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-helm-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-helm-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/flux-helm-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-helm-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/flux-helm-controller/tags_history.md b/content/chainguard/chainguard-images/reference/flux-helm-controller/tags_history.md index c4ac734de8..0e16666d3a 100644 --- a/content/chainguard/chainguard-images/reference/flux-helm-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/flux-helm-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the flux-helm-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d08869f8139c15440010778e56d8278c0a9dee49e8fa3eab43d92b363d51de7c` | -| `latest-dev` | November 29th | `sha256:1b388e2753a44b147ab8f0a6868c2e0f11581970407dab8bd51c3b8bfb358bda` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:648cfabc1dc39cbeea9ec863c84100f95d0b587040b00803ca45f54e7e284b83` | +| `latest` | December 6th | `sha256:36c42205c7d6120a9bde791595175050d47851bf08a34f34bc4d994ac965dbb0` | diff --git a/content/chainguard/chainguard-images/reference/flux-image-automation-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-image-automation-controller/provenance_info.md index 0c0558de6b..d7c5f31599 100644 --- a/content/chainguard/chainguard-images/reference/flux-image-automation-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-image-automation-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for flux-image-automation-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **flux-image-automation-controller** Chainguard Images are signed using Sigs The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/flux-image-automation-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-image-automation-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the flux-im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-image-automation-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-image-automation-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/flux-image-automation-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-image-automation-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/flux-image-automation-controller/tags_history.md b/content/chainguard/chainguard-images/reference/flux-image-automation-controller/tags_history.md index c54412a110..7a5406d52a 100644 --- a/content/chainguard/chainguard-images/reference/flux-image-automation-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/flux-image-automation-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the flux-image-automation-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:8c5bca15bf6362229a1a99d226cce49654757929449f9fff0d41dd52ee8867d4` | -| `latest` | October 30th | `sha256:429908e6bcf85c57c0556b4035366c49d8de7b424fa0eceaec9096c557f8e4a0` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:0da7d81ca4a8c3d3fec9d17ef9bd4667a49e11811b80f5fbe95b0d50d40677a6` | +| `latest-dev` | December 6th | `sha256:5a0e5116ee641da1e5b29a56c1c408b6370502194647f057423d787427fb86f1` | diff --git a/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/provenance_info.md index 0a42b23db1..5635ecbbda 100644 --- a/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for flux-image-reflector-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **flux-image-reflector-controller** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/flux-image-reflector-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-image-reflector-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the flux-im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-image-reflector-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-image-reflector-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/flux-image-reflector-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-image-reflector-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/tags_history.md b/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/tags_history.md index 752e40a465..503c961be1 100644 --- a/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/flux-image-reflector-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the flux-image-reflector-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:bdfdbd5979961b0a4541158fe7544f32f3eba412941d224d61b6f4e6d1f62b3d` | -| `latest` | November 29th | `sha256:fb091bb9380c5aafd2ca840dbe7ed31ed2b69baf967445270ff40f1a01792e32` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:96b2fda2f7d7bccab5ec4809799657daa1683ded2f927b18038ced8a1a99fb65` | +| `latest` | December 6th | `sha256:825241ef8486c0cc07bf24a23e208f73af62d3b651c55bae994d43465ffe4b85` | diff --git a/content/chainguard/chainguard-images/reference/flux-kustomize-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-kustomize-controller/provenance_info.md index aaefe90822..99f51772cb 100644 --- a/content/chainguard/chainguard-images/reference/flux-kustomize-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-kustomize-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for flux-kustomize-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **flux-kustomize-controller** Chainguard Images are signed using Sigstore, a The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/flux-kustomize-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-kustomize-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the flux-ku | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-kustomize-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-kustomize-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/flux-kustomize-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-kustomize-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/flux-kustomize-controller/tags_history.md b/content/chainguard/chainguard-images/reference/flux-kustomize-controller/tags_history.md index 1be25f69b0..c1a415a2d5 100644 --- a/content/chainguard/chainguard-images/reference/flux-kustomize-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/flux-kustomize-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the flux-kustomize-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c3d04f27e434be0fb766818c8457be9092ed6ad29dc267c191c0d8f43817f482` | -| `latest-dev` | November 29th | `sha256:89b9fbe38e1004a468c40337db768a9a7379a9422f7716f0aebcd20b03f9e408` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:ae7dc700d69ec7ca1b0f69b8aa6549691eca5f36f0c2a6df450972c093d0cadc` | +| `latest-dev` | December 6th | `sha256:fe5a049f3061b9ef4c7852213914bcfdae7ee9a885c78df2392d57a0ce349ed8` | diff --git a/content/chainguard/chainguard-images/reference/flux-notification-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-notification-controller/provenance_info.md index 261d724892..48e88a5db9 100644 --- a/content/chainguard/chainguard-images/reference/flux-notification-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-notification-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for flux-notification-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **flux-notification-controller** Chainguard Images are signed using Sigstore The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/flux-notification-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-notification-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the flux-no | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-notification-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-notification-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/flux-notification-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-notification-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/flux-notification-controller/tags_history.md b/content/chainguard/chainguard-images/reference/flux-notification-controller/tags_history.md index 5144ebab32..ae135de253 100644 --- a/content/chainguard/chainguard-images/reference/flux-notification-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/flux-notification-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the flux-notification-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:d742355a33a823015675a43511401a7c13609f0b8f7257a76a6d86356f818b93` | -| `latest` | November 29th | `sha256:561bc2bfece16cdce7da2e944a0abee8a9b7ab24129c4ae086a6dcadb71e2b85` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:ce273c6b705cc7a8db0246d6455623f900284301dfe7529982097fdd581a0bfe` | +| `latest` | December 6th | `sha256:4bee1fb77c63237a2374b08846572258735ea6f92aab945d4b1d2b62d3920fb9` | diff --git a/content/chainguard/chainguard-images/reference/flux-source-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/flux-source-controller/provenance_info.md index 63f33ddf7e..02e0ca9f78 100644 --- a/content/chainguard/chainguard-images/reference/flux-source-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux-source-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for flux-source-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **flux-source-controller** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/flux-source-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-source-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the flux-so | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-source-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux-source-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/flux-source-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux-source-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/flux-source-controller/tags_history.md b/content/chainguard/chainguard-images/reference/flux-source-controller/tags_history.md index c5b4406c15..38bb5b0f2e 100644 --- a/content/chainguard/chainguard-images/reference/flux-source-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/flux-source-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the flux-source-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ed071113a628a9cc89ddf4ddfe0b2b78c24cbceee11dd26bf25f6ced539ac4ac` | -| `latest-dev` | November 29th | `sha256:7b107c22d10da5d02e542157acca5b5ecd37f89aebef8f23181c0c58921d74ad` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:d1da775ed37d3f64bd112cbd156694474c202effe9c6d5b3068850c98f8e216f` | +| `latest` | December 6th | `sha256:2c82a8891372414735f45b3e0ce671cba183e6bfb34d203fbdb3dd53e3c2df36` | diff --git a/content/chainguard/chainguard-images/reference/flux/provenance_info.md b/content/chainguard/chainguard-images/reference/flux/provenance_info.md index 494762712c..766d4e532b 100644 --- a/content/chainguard/chainguard-images/reference/flux/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/flux/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for flux Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **flux** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/flux | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the flux im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the flux image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/flux + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/flux ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/flux/tags_history.md b/content/chainguard/chainguard-images/reference/flux/tags_history.md index 5ffd6102de..bf0dd3113d 100644 --- a/content/chainguard/chainguard-images/reference/flux/tags_history.md +++ b/content/chainguard/chainguard-images/reference/flux/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the flux Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c08d397f8f8d2951f400c641781e85faab0a48f9428e2ac397c930fb595360b0` | -| `latest-dev` | November 29th | `sha256:5be964f89c5f8ef9fb8d4f4e03b0a0ff15d66f31870a681861affe4563808d84` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:fc35aeed67ce35ee679f28428390c5713396b1a65ea3c10beb06f8177cb1ed0b` | +| `latest-dev` | December 6th | `sha256:ad9ec84e5c4eba438d9e850098bf922488897fcab682f8edb93ef7a5c15684b9` | diff --git a/content/chainguard/chainguard-images/reference/fulcio/provenance_info.md b/content/chainguard/chainguard-images/reference/fulcio/provenance_info.md index a1c6475c96..a25be27b73 100644 --- a/content/chainguard/chainguard-images/reference/fulcio/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/fulcio/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for fulcio Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **fulcio** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/fulcio | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/fulcio | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the fulcio | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the fulcio image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the fulcio image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/fulcio + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/fulcio ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/fulcio/tags_history.md b/content/chainguard/chainguard-images/reference/fulcio/tags_history.md index 30de469c1c..5b05aa379a 100644 --- a/content/chainguard/chainguard-images/reference/fulcio/tags_history.md +++ b/content/chainguard/chainguard-images/reference/fulcio/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the fulcio Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:71da5e770842bb1e723896176aba14beed38df6f718ade58dbee57ce3cc581f9` | -| `latest` | November 29th | `sha256:1b9fbcb6cfaa6d3ab72601ccdfef667f68a9939b32fbbc8e641df9b9f7a5a80f` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:809220709d2074a02bb39e7abd8acbf646c8a833ac24f013f60fcf7b8c19727e` | +| `latest-dev` | December 6th | `sha256:7cc6e9e19f4f8da617b415d5f7c1f09471dedd5a41db8fda816c856905037b28` | diff --git a/content/chainguard/chainguard-images/reference/gatekeeper/provenance_info.md b/content/chainguard/chainguard-images/reference/gatekeeper/provenance_info.md index 6d19444e40..a305197973 100644 --- a/content/chainguard/chainguard-images/reference/gatekeeper/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gatekeeper/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for gatekeeper Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **gatekeeper** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/gatekeeper | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gatekeeper | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the gatekee | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gatekeeper image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gatekeeper image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/gatekeeper + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gatekeeper ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/gatekeeper/tags_history.md b/content/chainguard/chainguard-images/reference/gatekeeper/tags_history.md index 255ba71667..0ba07e9f5a 100644 --- a/content/chainguard/chainguard-images/reference/gatekeeper/tags_history.md +++ b/content/chainguard/chainguard-images/reference/gatekeeper/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the gatekeeper Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2dc415b0f1a1b551c98a077538d5e13d5d3a0402e796ec84bc7cf853ece67edc` | -| `latest-dev` | November 29th | `sha256:3da5e1c343abf7f10a0c817d43eb80cf03c21cc8e4a0ab06bfe7488ef9db50b5` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f0e746bc493df4e9d8e45ed16b480cb10909bbdb80b2a84c0b246197537feb00` | +| `latest-dev` | December 6th | `sha256:4f03fa594899a9a1caa97e2e894f10110389f1f5bf02cfaab431edc213c6d55b` | diff --git a/content/chainguard/chainguard-images/reference/gcc-glibc/provenance_info.md b/content/chainguard/chainguard-images/reference/gcc-glibc/provenance_info.md index 01d366d8d5..ece99b8adc 100644 --- a/content/chainguard/chainguard-images/reference/gcc-glibc/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gcc-glibc/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for gcc-glibc Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **gcc-glibc** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/gcc-glibc | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gcc-glibc | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the gcc-gli | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gcc-glibc image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gcc-glibc image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/gcc-glibc + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gcc-glibc ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/gcc-glibc/tags_history.md b/content/chainguard/chainguard-images/reference/gcc-glibc/tags_history.md index 6427da03d7..b300a09fc8 100644 --- a/content/chainguard/chainguard-images/reference/gcc-glibc/tags_history.md +++ b/content/chainguard/chainguard-images/reference/gcc-glibc/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the gcc-glibc Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ed8c943981c87068e0bf2a0047dc916b4914f21ad4c2b85352982ad67b30738b` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:511fea1515f868092bc3e3c77afa98d2a3c05e565f7d7676d14156235841e895` | diff --git a/content/chainguard/chainguard-images/reference/git/provenance_info.md b/content/chainguard/chainguard-images/reference/git/provenance_info.md index 26c94ccee8..9097aa1229 100644 --- a/content/chainguard/chainguard-images/reference/git/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/git/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for git Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **git** Chainguard Images are signed using Sigstore, and you can check the i The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/git | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/git | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the git ima | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the git image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the git image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/git + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/git ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/git/tags_history.md b/content/chainguard/chainguard-images/reference/git/tags_history.md index 0762b682cb..574d2eb81f 100644 --- a/content/chainguard/chainguard-images/reference/git/tags_history.md +++ b/content/chainguard/chainguard-images/reference/git/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the git Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,14 +23,14 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|--------------------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:9a75679eaef0483ad7ba3130a756e1467f86acffcd2f8bcb9ea864f41ca0cd5f` | -| `latest-root` | November 29th | `sha256:df4cba36768febd84aa9ee39c8bc6fe7b6751688f398811202fd0c6fccabc8c9` | -| `latest-root-dev` | November 29th | `sha256:b424b0018aaf748afea687e3af2e997cff35682c43a281fcfb2f5f3896c559ed` | -| `latest` | November 29th | `sha256:b9a286ed3630fc32d292af234bfa12941b8a360b1efdecd4f78981edf9eba1e4` | -| `latest-glibc-root-dev` | November 29th | `sha256:c7000f4d4de09943a9011be4fa1e2682e973b3a260a4a4c04f9b35490ae16d91` | -| `latest-glibc-dev` | November 29th | `sha256:12d1cc09262033f92b12a1a747941e8eca3af12235773f04529b78ef3b1ff54c` | -| `latest-glibc-root` | November 29th | `sha256:a295bf091da648413500f84de61da6e60bc43ebf86793306696f99b1d22a8889` | -| `latest-glibc` | November 29th | `sha256:70e10a39ec522f9321b60cff79f65dc281255c48cf23b35e1570e0ab96ae2e07` | +| Tag (s) | Last Changed | Digest | +|--------------------------|--------------|---------------------------------------------------------------------------| +| `latest-root-dev` | December 6th | `sha256:e0de33ea8c5994fcc31fe40967a3fc63233594328e01bdc62b64564891b96238` | +| `latest-root` | December 6th | `sha256:5e082c2e005abeee66ad72576c51f0e050e299e1feec9fd72a94ccf4214e7158` | +| `latest` | December 6th | `sha256:73c2b94038670304376db6edee0a5b0b339cc0e1f6562ab222764604e1beebed` | +| `latest-dev` | December 6th | `sha256:3940b11e55a89c1fcf6cea756b5abefa7b0f55b18556939f0795fb26bc618ea5` | +| `latest-glibc` | December 6th | `sha256:546ee334f05f7dd4c917f6cbaa2e88df3ca66758a31c2b35a608e09279cf844b` | +| `latest-glibc-root` | December 6th | `sha256:bce7d74aad7103ade728bed27ce838c23d25a7f60d9469de1dc32e9901384d19` | +| `latest-glibc-dev` | December 6th | `sha256:a2ea551c8e4c5416c4d3773d917938b04b9330c69704378eea0b48cf22a45899` | +| `latest-glibc-root-dev` | December 6th | `sha256:8101f7c8f01429f36999dff74621b9c01c23a1e8f151255fd96933ed85e05175` | diff --git a/content/chainguard/chainguard-images/reference/gitlab-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/gitlab-exporter/provenance_info.md index 40dd3016c0..96636f2e34 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitlab-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for gitlab-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **gitlab-exporter** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/gitlab-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitlab-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the gitlab- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/gitlab-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitlab-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/gitlab-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/gitlab-exporter/tags_history.md index e4d141f20c..89eb19d369 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/gitlab-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the gitlab-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:bb251052d94f82c16815aefc474aac34e7ab2290d240aa7563c636c35209b99e` | -| `latest-dev` | November 29th | `sha256:1f6007938d943ce637b67586d2ae4f77f203a0fecaca39fc8dde919328e84643` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:bf1b39cf9393dff6d0ab30e7d76313f08151574b9d48e5a4ca75ecf0cb7fb29e` | +| `latest` | December 6th | `sha256:e31a44c63fb1edc85ada5e02820fefa887a920f204a88c5ee303d660a70623eb` | diff --git a/content/chainguard/chainguard-images/reference/gitlab-kas/provenance_info.md b/content/chainguard/chainguard-images/reference/gitlab-kas/provenance_info.md index 4bda677375..19e05ee585 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-kas/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitlab-kas/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for gitlab-kas Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **gitlab-kas** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/gitlab-kas | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitlab-kas | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the gitlab- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-kas image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-kas image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/gitlab-kas + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitlab-kas ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/gitlab-kas/tags_history.md b/content/chainguard/chainguard-images/reference/gitlab-kas/tags_history.md index 7ab61fac12..e96ed2c99a 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-kas/tags_history.md +++ b/content/chainguard/chainguard-images/reference/gitlab-kas/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the gitlab-kas Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:0ba9adea70008228edb47a97cc40a28af11e6fa9a2c415e5efcc723c2009ec67` | -| `latest` | November 29th | `sha256:ab6b80f0d9d30647fd4a9a29aa8590d46599dacdcfdadadc89b19848270a168d` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:6c25987d3986b328c660598bef8f98cf1f45d2a42a13b1b989e7551ce596dba0` | +| `latest` | December 6th | `sha256:61c3f8aa394ab65d175fb96ba2a4652a37d74e70c612c085b93bf0e20f39f4be` | diff --git a/content/chainguard/chainguard-images/reference/gitlab-pages/provenance_info.md b/content/chainguard/chainguard-images/reference/gitlab-pages/provenance_info.md index 9b978c7ee6..ad6a4755ce 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-pages/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitlab-pages/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for gitlab-pages Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **gitlab-pages** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/gitlab-pages | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitlab-pages | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the gitlab- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-pages image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-pages image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/gitlab-pages + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitlab-pages ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/gitlab-pages/tags_history.md b/content/chainguard/chainguard-images/reference/gitlab-pages/tags_history.md index f6cc52caee..e088d37de3 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-pages/tags_history.md +++ b/content/chainguard/chainguard-images/reference/gitlab-pages/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the gitlab-pages Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:d962b7c678962a982a18b10fd4123dbd00a8e455c6a4a869acd589508a3d6f06` | -| `latest` | November 29th | `sha256:c429649e100f5879b3fa52ea39f240d58f5c906600f6e125ea8e51abdb9a1685` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:8e0f87b68486e41d943426191caadb2a476bcca91fa522b77a4ad94ed5ae52f8` | +| `latest` | December 6th | `sha256:a443d0f7ef4ea3e89f065a905b582c02e1fddda397a5fb941e4a6a686dfd85a0` | diff --git a/content/chainguard/chainguard-images/reference/gitlab-shell/provenance_info.md b/content/chainguard/chainguard-images/reference/gitlab-shell/provenance_info.md index 7921e07068..35f987c958 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-shell/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitlab-shell/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for gitlab-shell Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **gitlab-shell** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/gitlab-shell | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitlab-shell | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the gitlab- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-shell image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitlab-shell image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/gitlab-shell + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitlab-shell ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/gitlab-shell/tags_history.md b/content/chainguard/chainguard-images/reference/gitlab-shell/tags_history.md index 1c2a8ba08e..177bc61e1d 100644 --- a/content/chainguard/chainguard-images/reference/gitlab-shell/tags_history.md +++ b/content/chainguard/chainguard-images/reference/gitlab-shell/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the gitlab-shell Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:a706e5004c9f3ce24d330f45e952dfd43728452a6c2910a29d59ca6d9e0f16fe` | -| `latest-dev` | November 29th | `sha256:22aca618ea554072303368db02af5960fe68000cb971802f11521f1fca7ae5ca` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:0175c8daa5e849d15b5d90107ad13964bd3ce67c1731d7953e2ae379e9915267` | +| `latest` | December 6th | `sha256:9b77c7e3013e7e6b880fd447a61dd5ed4776cb384290fc36f483f33258220c70` | diff --git a/content/chainguard/chainguard-images/reference/gitness/provenance_info.md b/content/chainguard/chainguard-images/reference/gitness/provenance_info.md index de3e26547b..a5df9683a5 100644 --- a/content/chainguard/chainguard-images/reference/gitness/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gitness/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for gitness Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **gitness** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/gitness | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitness | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the gitness | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitness image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gitness image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/gitness + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gitness ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/gitness/tags_history.md b/content/chainguard/chainguard-images/reference/gitness/tags_history.md index fc65062f79..6f109e4079 100644 --- a/content/chainguard/chainguard-images/reference/gitness/tags_history.md +++ b/content/chainguard/chainguard-images/reference/gitness/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the gitness Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:cc93b6399e9d62679c1a1e303801da11024679b237871dcb452253c099acdc6f` | -| `latest` | November 29th | `sha256:24441bb50d30c63f26e3df8ad9fa3f8f4afc033dc8d4def4eb63dfe970a5d48a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c9821c8aecdacc5e9a1102cd7575eceb4cf3fd8bd13511855779628650b3b306` | +| `latest-dev` | December 6th | `sha256:a52efe7578a676f19f25dc238f65bc723d20c89d2c76a8f002ca231e4505aaa4` | diff --git a/content/chainguard/chainguard-images/reference/glibc-dynamic/provenance_info.md b/content/chainguard/chainguard-images/reference/glibc-dynamic/provenance_info.md index 1008bc958c..e7aad7747d 100644 --- a/content/chainguard/chainguard-images/reference/glibc-dynamic/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/glibc-dynamic/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for glibc-dynamic Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **glibc-dynamic** Chainguard Images are signed using Sigstore, and you can c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/glibc-dynamic | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/glibc-dynamic | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the glibc-d | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the glibc-dynamic image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the glibc-dynamic image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/glibc-dynamic + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/glibc-dynamic ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/glibc-dynamic/tags_history.md b/content/chainguard/chainguard-images/reference/glibc-dynamic/tags_history.md index ff95859bc0..c69f47597e 100644 --- a/content/chainguard/chainguard-images/reference/glibc-dynamic/tags_history.md +++ b/content/chainguard/chainguard-images/reference/glibc-dynamic/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the glibc-dynamic Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:dee77aaf6524b6bde20ed841d3c82fdfdb3a27ff386266a31e38222e1e89b4b1` | -| `latest` | November 29th | `sha256:677adea04d6c703482c1157cb8bc8670a179f1e749c76f10854ef4da0f712c4e` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:b399edb11111ff8f36c15fff8bdc8de381d5931edf7e71e382c8eb4c32c1d12a` | +| `latest` | December 6th | `sha256:83d562552710fadc546762e6c178e2c3a7c0c73015bbb9e9b350ecf9512ddbcb` | diff --git a/content/chainguard/chainguard-images/reference/go/provenance_info.md b/content/chainguard/chainguard-images/reference/go/provenance_info.md index affdecf33d..55ee890f51 100644 --- a/content/chainguard/chainguard-images/reference/go/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/go/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for go Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **go** Chainguard Images are signed using Sigstore, and you can check the in The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/go | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/go | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the go imag | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the go image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the go image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/go + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/go ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/go/tags_history.md b/content/chainguard/chainguard-images/reference/go/tags_history.md index d3aeea71ba..e17d79a399 100644 --- a/content/chainguard/chainguard-images/reference/go/tags_history.md +++ b/content/chainguard/chainguard-images/reference/go/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the go Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c894bc454800817b1747c8a1a640ae6d86004b06190f94e791098e7e78dbbc00` | -| `latest-dev` | November 29th | `sha256:ed3b0a343642563acb88583c497c531b9272d2a6e048c589e2e1e9533e2b8f73` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:cc9162f7b553987850cbc6d4c229a43e44172da47dc35da5e499487100419bc1` | +| `latest-dev` | December 6th | `sha256:656b9e198b8c7f62c953388bcc2f94e7e9b37a7993a6b4ef755b4d33836db7f3` | diff --git a/content/chainguard/chainguard-images/reference/google-cloud-sdk/provenance_info.md b/content/chainguard/chainguard-images/reference/google-cloud-sdk/provenance_info.md index 3e19722593..ce91439a0d 100644 --- a/content/chainguard/chainguard-images/reference/google-cloud-sdk/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/google-cloud-sdk/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for google-cloud-sdk Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **google-cloud-sdk** Chainguard Images are signed using Sigstore, and you ca The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/google-cloud-sdk | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/google-cloud-sdk | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the google- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the google-cloud-sdk image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the google-cloud-sdk image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/google-cloud-sdk + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/google-cloud-sdk ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/google-cloud-sdk/tags_history.md b/content/chainguard/chainguard-images/reference/google-cloud-sdk/tags_history.md index ddc1417c26..763a04beb9 100644 --- a/content/chainguard/chainguard-images/reference/google-cloud-sdk/tags_history.md +++ b/content/chainguard/chainguard-images/reference/google-cloud-sdk/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the google-cloud-sdk Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2825e93348379e1e3301d76a7105b96c1c2eda672e886f119fe77e5ac21150d3` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:d1705efc48a866195e1d95f63e5c4f1aa901d62e6a5704ecdce60ab14ce32546` | diff --git a/content/chainguard/chainguard-images/reference/graalvm-native/provenance_info.md b/content/chainguard/chainguard-images/reference/graalvm-native/provenance_info.md index 18334fcab4..f8b179933f 100644 --- a/content/chainguard/chainguard-images/reference/graalvm-native/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/graalvm-native/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for graalvm-native Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **graalvm-native** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/graalvm-native | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/graalvm-native | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the graalvm | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the graalvm-native image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the graalvm-native image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/graalvm-native + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/graalvm-native ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/graalvm-native/tags_history.md b/content/chainguard/chainguard-images/reference/graalvm-native/tags_history.md index cedb8b9ea1..a4246cb57e 100644 --- a/content/chainguard/chainguard-images/reference/graalvm-native/tags_history.md +++ b/content/chainguard/chainguard-images/reference/graalvm-native/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the graalvm-native Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c1018bc297febb729f3302f302ba20d801721af210199685fab30b42234cc66c` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:799b172e80f92bd67d479011428a3dfbc8e9fefc7e717daeb55d07bc48f27d10` | diff --git a/content/chainguard/chainguard-images/reference/gradle/provenance_info.md b/content/chainguard/chainguard-images/reference/gradle/provenance_info.md index a7d99f8dfb..3bbc063fb1 100644 --- a/content/chainguard/chainguard-images/reference/gradle/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/gradle/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for gradle Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **gradle** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/gradle | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gradle | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the gradle | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gradle image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the gradle image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/gradle + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/gradle ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/gradle/tags_history.md b/content/chainguard/chainguard-images/reference/gradle/tags_history.md index 07dca72879..6bb8776322 100644 --- a/content/chainguard/chainguard-images/reference/gradle/tags_history.md +++ b/content/chainguard/chainguard-images/reference/gradle/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the gradle Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:fd06a94dedc3a5c3590e4c21ac4888cc564e73390de0d031dcf8000bf907076f` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:a4b835c45c2159c3a678e0d3c8ee5f299290211e55bee22968afbcaa9ea062b8` | diff --git a/content/chainguard/chainguard-images/reference/grype/provenance_info.md b/content/chainguard/chainguard-images/reference/grype/provenance_info.md index ca775888e3..f59a00df52 100644 --- a/content/chainguard/chainguard-images/reference/grype/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/grype/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for grype Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **grype** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/grype | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/grype | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the grype i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the grype image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the grype image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/grype + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/grype ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/grype/tags_history.md b/content/chainguard/chainguard-images/reference/grype/tags_history.md index 2838afb75e..18f435d026 100644 --- a/content/chainguard/chainguard-images/reference/grype/tags_history.md +++ b/content/chainguard/chainguard-images/reference/grype/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the grype Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:051d1560b444f7e935d81daecd68ff99b4d916543fa1e37fa0b16fc100b23acb` | -| `latest` | November 29th | `sha256:ea7284bffb5d4c56d1d23745f6ee234b114df60698108b9618b87b36974cef47` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:e997bf4482433431a18e4bc973cd20197ffa15ce733e6f3e542563396eeec37b` | +| `latest` | December 6th | `sha256:24adad7f48e77ef408457849c1498599c97be95d4dd098fdca797315fdb8a0af` | diff --git a/content/chainguard/chainguard-images/reference/guacamole-server/provenance_info.md b/content/chainguard/chainguard-images/reference/guacamole-server/provenance_info.md index b78b6b635a..28bef6f5f9 100644 --- a/content/chainguard/chainguard-images/reference/guacamole-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/guacamole-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for guacamole-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **guacamole-server** Chainguard Images are signed using Sigstore, and you ca The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/guacamole-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/guacamole-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the guacamo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the guacamole-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the guacamole-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/guacamole-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/guacamole-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/guacamole-server/tags_history.md b/content/chainguard/chainguard-images/reference/guacamole-server/tags_history.md index a1e8d36b1d..7b710931ca 100644 --- a/content/chainguard/chainguard-images/reference/guacamole-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/guacamole-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the guacamole-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:27cd9e5b69d1814215b9c04998dacb82ca4fe7e035180ee60b5c743f490206ee` | -| `latest` | November 29th | `sha256:c6eeb29015732192b0c29a3e17dde03c7e09b087fd7c22dec8e0ed69f85517b6` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:dd2f045eb99b07ff8ba84f1c27fca740dca5bf0fb23baaba28b7177b0012b878` | +| `latest-dev` | December 6th | `sha256:78e08623005593b12ce60196bdfebda63774207ea4f956e5fb082a79b068512a` | diff --git a/content/chainguard/chainguard-images/reference/haproxy-ingress/_index.md b/content/chainguard/chainguard-images/reference/haproxy-ingress/_index.md index 8f351cc001..2cd177efbb 100644 --- a/content/chainguard/chainguard-images/reference/haproxy-ingress/_index.md +++ b/content/chainguard/chainguard-images/reference/haproxy-ingress/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: haproxy-ingress Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -26,32 +26,44 @@ toc: true -Kubernetes ingress controller implementation for HAProxy +[HAProxy Ingress](https://haproxy-ingress.github.io/) is a Kubernetes ingress controller implementation for HAProxy. ## Get It! -The image is available on `cgr.dev`: +The image is available on `cgr.dev`. -``` +```shell docker pull cgr.dev/chainguard/haproxy-ingress:latest ``` -# Usage +# Use It! -You can use this image with the [Helm Chart](https://artifacthub.io/packages/helm/haproxy-ingress/haproxy-ingress) of the project: +You can use this image with the `haproxy-ingress` project's [Helm chart](https://artifacthub.io/packages/helm/haproxy-ingress/haproxy-ingress). To begin, add the Helm chart's repository. ```shell helm repo add haproxy-ingress https://haproxy-ingress.github.io/charts +``` +Then run the following command to retrieve the latest information about the charts in the repository you just added. + +```shell helm repo update +``` +Then install `haproxy-ingress` with the following command. This command directs Helm to install it using Chainguard's `haprox-ingress:latest` image. + +```shell helm install ingress haproxy-ingress/haproxy-ingress \ --set controller.image.repository="cgr.dev/chainguard/haproxy-ingress" \ --set controller.image.tag="latest" +``` +Run the following command to confirm that the the Pod is running and ready to use. + +```shell kubectl wait --for=condition=ready pod --selector "app.kubernetes.io/name=haproxy-ingress" --timeout=120s ``` diff --git a/content/chainguard/chainguard-images/reference/haproxy-ingress/provenance_info.md b/content/chainguard/chainguard-images/reference/haproxy-ingress/provenance_info.md index 31aba75b58..81d0b1cb6d 100644 --- a/content/chainguard/chainguard-images/reference/haproxy-ingress/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/haproxy-ingress/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for haproxy-ingress Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **haproxy-ingress** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/haproxy-ingress | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/haproxy-ingress | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the haproxy | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the haproxy-ingress image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the haproxy-ingress image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/haproxy-ingress + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/haproxy-ingress ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/haproxy-ingress/tags_history.md b/content/chainguard/chainguard-images/reference/haproxy-ingress/tags_history.md index d304440898..16af2cdcb3 100644 --- a/content/chainguard/chainguard-images/reference/haproxy-ingress/tags_history.md +++ b/content/chainguard/chainguard-images/reference/haproxy-ingress/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the haproxy-ingress Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:aee400578491a2f761c7bb396cf76795842c887272fd49fc4a683fb55b14fb45` | -| `latest` | November 29th | `sha256:6ca9a39c8676709025ef1bb6c9f4cb9adcb70da8ca8bb88747487aa72e90e41c` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c8f5314264bde95e507e9abc537002a42c5d28e512b4fa5cbf940185779521c2` | +| `latest-dev` | December 6th | `sha256:7250939bd1432b8a4086c6a333818289f4fa97c19d5f76cd25c3b19866ee537c` | diff --git a/content/chainguard/chainguard-images/reference/haproxy/provenance_info.md b/content/chainguard/chainguard-images/reference/haproxy/provenance_info.md index 473cc6199a..73ec4e17cc 100644 --- a/content/chainguard/chainguard-images/reference/haproxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/haproxy/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for haproxy Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **haproxy** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/haproxy | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/haproxy | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the haproxy | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the haproxy image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the haproxy image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/haproxy + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/haproxy ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/haproxy/tags_history.md b/content/chainguard/chainguard-images/reference/haproxy/tags_history.md index ff570e4eab..b3e8e3136d 100644 --- a/content/chainguard/chainguard-images/reference/haproxy/tags_history.md +++ b/content/chainguard/chainguard-images/reference/haproxy/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the haproxy Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:f2401f0a74e1ce0d2eb8ee3e99e879b5e96d2f6318b7b475e705093276d9b1c4` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:99b65bfce1ead0aa0b5f54fb19e3a9d820badfad199909698718f751848c24c1` | diff --git a/content/chainguard/chainguard-images/reference/helm-chartmuseum/provenance_info.md b/content/chainguard/chainguard-images/reference/helm-chartmuseum/provenance_info.md index 298f951110..c032a8625e 100644 --- a/content/chainguard/chainguard-images/reference/helm-chartmuseum/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/helm-chartmuseum/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for helm-chartmuseum Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **helm-chartmuseum** Chainguard Images are signed using Sigstore, and you ca The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/helm-chartmuseum | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/helm-chartmuseum | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the helm-ch | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the helm-chartmuseum image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the helm-chartmuseum image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/helm-chartmuseum + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/helm-chartmuseum ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/helm-chartmuseum/tags_history.md b/content/chainguard/chainguard-images/reference/helm-chartmuseum/tags_history.md index 6422c0d3c9..86cb54ea28 100644 --- a/content/chainguard/chainguard-images/reference/helm-chartmuseum/tags_history.md +++ b/content/chainguard/chainguard-images/reference/helm-chartmuseum/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the helm-chartmuseum Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:c8dc7154cef54c1642fa631ab9f4509c108c7b56a963b84a140049bc20329b52` | -| `latest` | October 30th | `sha256:7679e94ae8d48f731d9eeb8a3307d84cc147d692709c211688e2cfc2d85a8b16` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:96082ec325470b8cb81f65757e1d070d2393eb0a734e5676987e3202abf86988` | +| `latest` | December 6th | `sha256:f737a6e6dbd361d6dde3b81a4e7398f9b53493ff7ebb9a9991fb9ec45be01b5b` | diff --git a/content/chainguard/chainguard-images/reference/helm/_index.md b/content/chainguard/chainguard-images/reference/helm/_index.md index a50221672c..55c0e96f1a 100644 --- a/content/chainguard/chainguard-images/reference/helm/_index.md +++ b/content/chainguard/chainguard-images/reference/helm/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: helm Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -31,7 +31,7 @@ Minimal image with [helm](https://helm.sh) binary. **EXPERIMENTAL** ## Get It! -The image is available on `cgr.dev`: +The image is available on `cgr.dev`. ``` docker pull cgr.dev/chainguard/helm:latest @@ -39,24 +39,19 @@ docker pull cgr.dev/chainguard/helm:latest -## Image Variants -Our `latest` tags use the most recent build of the [Wolfi helm](https://github.com/wolfi-dev/os/blob/main/helm.yaml) package. The following tagged variants are available without authentication: +## Testing the Helm Image -- `latest`: This is a distroless image for running helm to install packages to a kubernetes cluster. It does not include `apk-tools` or `bash`, so no shell will be available. -- `latest-dev`: This is a development / builder image that includes `bash`, `apk-tools`, and `busybox`. This variant allows you to customize your final image with additional Wolfi packages. - -### Helm Version -This will automatically pull the image to your local system and execute the command `helm version`: +The following command will pull the image to your local system and automatically execute the `helm version` command: ```shell docker run --rm cgr.dev/chainguard/helm version ``` -You should see output similar to this: +This will return output similar to this. ``` -version.BuildInfo{Version:"v3.13.1", GitCommit:"3547a4b5bf5edb5478ce352e18858d8a552a4110", GitTreeState:"dirty", GoVersion:"go1.21.3"} +version.BuildInfo{Version:"v3.13.2", GitCommit:"2a2fb3b98829f1e0be6fb18af2f6599e0f4e8243", GitTreeState:"clean", GoVersion:"go1.21.4"} ``` diff --git a/content/chainguard/chainguard-images/reference/helm/provenance_info.md b/content/chainguard/chainguard-images/reference/helm/provenance_info.md index a0754d7377..7164071451 100644 --- a/content/chainguard/chainguard-images/reference/helm/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/helm/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for helm Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **helm** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/helm | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/helm | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the helm im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the helm image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the helm image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/helm + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/helm ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/helm/tags_history.md b/content/chainguard/chainguard-images/reference/helm/tags_history.md index 87550cedf9..70f83aaaa3 100644 --- a/content/chainguard/chainguard-images/reference/helm/tags_history.md +++ b/content/chainguard/chainguard-images/reference/helm/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the helm Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ffc1e28b726c3d2d831b320cd31dcf7f3b2a2306b0f2a98bd8ff2ffb9bb0296e` | -| `latest-dev` | November 29th | `sha256:1e315099b220214158156ffba15ddc0f88bcb410b95d94ecfaa72f7193480883` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:d58f404ad6a6eb567a5c588540d95666902d632edda76a4593e4a3eb420c28a6` | +| `latest-dev` | December 6th | `sha256:e36f0b21cde354a326495471cccdacbe88ef2f03b51d20625a1ee183a304500a` | diff --git a/content/chainguard/chainguard-images/reference/http-echo/provenance_info.md b/content/chainguard/chainguard-images/reference/http-echo/provenance_info.md index 62f9425b4f..69d5ccb9a1 100644 --- a/content/chainguard/chainguard-images/reference/http-echo/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/http-echo/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for http-echo Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **http-echo** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/http-echo | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/http-echo | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the http-ec | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the http-echo image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the http-echo image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/http-echo + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/http-echo ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/http-echo/tags_history.md b/content/chainguard/chainguard-images/reference/http-echo/tags_history.md index 09159530da..e4c287d7e7 100644 --- a/content/chainguard/chainguard-images/reference/http-echo/tags_history.md +++ b/content/chainguard/chainguard-images/reference/http-echo/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the http-echo Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:db2a62b9145b9b18a25bf53205c613ddbe6c9e9be9879478ad7974fe4ede9954` | -| `latest` | October 30th | `sha256:2ce935beaa421e2217fc65e1fd4f26b408844f0d67136dced5eb390aa8400dbe` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:63fbc523ac4c320412183131cf95347e429965bc06c48cc8e286572592a46f6b` | +| `latest-dev` | December 6th | `sha256:a52b508d260448f19cf191e9e34d6a55de5b630efb84702e13a5ada70c0c39c9` | diff --git a/content/chainguard/chainguard-images/reference/hugo/provenance_info.md b/content/chainguard/chainguard-images/reference/hugo/provenance_info.md index c9f61127ad..b666517ddf 100644 --- a/content/chainguard/chainguard-images/reference/hugo/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/hugo/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for hugo Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **hugo** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/hugo | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/hugo | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the hugo im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the hugo image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the hugo image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/hugo + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/hugo ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/hugo/tags_history.md b/content/chainguard/chainguard-images/reference/hugo/tags_history.md index 3caf5fb2c2..1196ae2e20 100644 --- a/content/chainguard/chainguard-images/reference/hugo/tags_history.md +++ b/content/chainguard/chainguard-images/reference/hugo/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the hugo Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ad65900a8a3bd15247f01467739842610e46f2c5896afb73343bcd0239a217f8` | -| `latest-dev` | November 29th | `sha256:9c20a39e6b2e629e8bb511b42173d8db6e30bf953d802ed2602204de9b545885` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:31a0c9fd152d3a3b38a926ec832ceb25e3910dd288b83a8c725885c659ef78d8` | +| `latest-dev` | December 6th | `sha256:ddd2fb404a6cad2fbb0119dede68c7577f035e00f7cd0cfbcf94a9ab3c0ea310` | diff --git a/content/chainguard/chainguard-images/reference/influxdb/provenance_info.md b/content/chainguard/chainguard-images/reference/influxdb/provenance_info.md index bd7d4d2e8f..29d694bd15 100644 --- a/content/chainguard/chainguard-images/reference/influxdb/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/influxdb/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for influxdb Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **influxdb** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/influxdb | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/influxdb | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the influxd | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the influxdb image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the influxdb image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/influxdb + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/influxdb ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/influxdb/tags_history.md b/content/chainguard/chainguard-images/reference/influxdb/tags_history.md index 227b4d4d4e..86ca71770c 100644 --- a/content/chainguard/chainguard-images/reference/influxdb/tags_history.md +++ b/content/chainguard/chainguard-images/reference/influxdb/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the influxdb Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ff7c88aca3d1db97c6210f2000cf7ea0a253b4241c6ab14814f595f76c913e2b` | -| `latest-dev` | November 29th | `sha256:36f6e5027b649daf57f79bd36a60f44f080545bdb450f60db6bf36ffe8621002` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:c1aa8cfc07d2773679e1218d484ca8dab0713bc13db21c1cd99a3db768850d6b` | +| `latest` | December 6th | `sha256:99dd8e21c3b0ddf472c95cd605ed9c0176348264289d689b081176e991105604` | diff --git a/content/chainguard/chainguard-images/reference/ingress-nginx-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/ingress-nginx-controller/provenance_info.md index 9961430e63..066d105ccf 100644 --- a/content/chainguard/chainguard-images/reference/ingress-nginx-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ingress-nginx-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for ingress-nginx-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **ingress-nginx-controller** Chainguard Images are signed using Sigstore, an The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/ingress-nginx-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ingress-nginx-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the ingress | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ingress-nginx-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ingress-nginx-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/ingress-nginx-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ingress-nginx-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/ingress-nginx-controller/tags_history.md b/content/chainguard/chainguard-images/reference/ingress-nginx-controller/tags_history.md index 0256359b7b..ed9c3a375c 100644 --- a/content/chainguard/chainguard-images/reference/ingress-nginx-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ingress-nginx-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the ingress-nginx-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:48f4cef800d2332c9655e37b9402a72f589b42a1c8bc4e9b534810016b7353e2` | -| `latest-dev` | November 29th | `sha256:8d45f23280dd63baded72980d602ea7d218e424b5db05b8d8399b36eb2bc9642` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:21c5fbd3ec3152e79564cc8865850d8e886818c8664e06faad376919229ad56f` | +| `latest-dev` | December 6th | `sha256:c2f03807c2bd534574e0558de9992d50154697cbeb97bb2662ee90c3d965ddb6` | diff --git a/content/chainguard/chainguard-images/reference/ip-masq-agent/provenance_info.md b/content/chainguard/chainguard-images/reference/ip-masq-agent/provenance_info.md index fa5df1659c..d443ddddec 100644 --- a/content/chainguard/chainguard-images/reference/ip-masq-agent/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ip-masq-agent/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for ip-masq-agent Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **ip-masq-agent** Chainguard Images are signed using Sigstore, and you can c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/ip-masq-agent | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ip-masq-agent | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the ip-masq | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ip-masq-agent image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ip-masq-agent image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/ip-masq-agent + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ip-masq-agent ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/ip-masq-agent/tags_history.md b/content/chainguard/chainguard-images/reference/ip-masq-agent/tags_history.md index 424b7c60a3..bd41ddce27 100644 --- a/content/chainguard/chainguard-images/reference/ip-masq-agent/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ip-masq-agent/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the ip-masq-agent Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:6b4a65631df35ff62503ede99709e7774e3a15afcd721436b078b971350b58a3` | -| `latest` | November 29th | `sha256:16a97c9c97542becb1a878f3435a8300020afa4347b5947d368c0396c727eadd` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:54329c94e7409dab7fa705efc9760a8b4e6be13ccc6df5f565f0f3ea460c8023` | +| `latest-dev` | December 6th | `sha256:3424643293fc371f2652bbbd7da9572382a3dfa328315109dde182268887d427` | diff --git a/content/chainguard/chainguard-images/reference/istio-install-cni/provenance_info.md b/content/chainguard/chainguard-images/reference/istio-install-cni/provenance_info.md index c77586694a..00b6cb8aab 100644 --- a/content/chainguard/chainguard-images/reference/istio-install-cni/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/istio-install-cni/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for istio-install-cni Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **istio-install-cni** Chainguard Images are signed using Sigstore, and you c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/istio-install-cni | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/istio-install-cni | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the istio-i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-install-cni image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-install-cni image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/istio-install-cni + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/istio-install-cni ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/istio-install-cni/tags_history.md b/content/chainguard/chainguard-images/reference/istio-install-cni/tags_history.md index bd01fad302..4a3107c3fc 100644 --- a/content/chainguard/chainguard-images/reference/istio-install-cni/tags_history.md +++ b/content/chainguard/chainguard-images/reference/istio-install-cni/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the istio-install-cni Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:6b8021f087ec129720f784a8fcc23b3218dd41477b89fbdb53356bef4445088f` | -| `latest-dev` | November 29th | `sha256:3a83f7450eff5b6bf13da7af5f74726bc1226522fa967acf9cab807195924ee7` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:096020e9dd2d18106da68351e4dc1dcdde14b1531807fd760bd5fd9b15c20aa5` | +| `latest-dev` | December 6th | `sha256:c08f9c48e0a80f58bce553a8fe573a95761af5c8d4a34830c9774060da70cff1` | diff --git a/content/chainguard/chainguard-images/reference/istio-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/istio-operator/provenance_info.md index 220d880628..f114eb01e0 100644 --- a/content/chainguard/chainguard-images/reference/istio-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/istio-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for istio-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **istio-operator** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/istio-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/istio-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the istio-o | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/istio-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/istio-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/istio-operator/tags_history.md b/content/chainguard/chainguard-images/reference/istio-operator/tags_history.md index 254e864cf1..6e76a0949d 100644 --- a/content/chainguard/chainguard-images/reference/istio-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/istio-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the istio-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:bb87338859a196657d9f10cc60a7f769d304ecaa2cdd8d1303466599fdee1440` | -| `latest-dev` | November 29th | `sha256:7c662a1fc26ed56d3140112eb71843f8c3ad7d27490ad77af5b9acc747589d1c` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:97aa21746aa488594bb440b38adc70eb105e8f689245b492e65ab16e30019826` | +| `latest-dev` | December 6th | `sha256:0daf0ae271a34174dad1e84b6c3fce0b2d8ce70070d3e777456925f8770681a9` | diff --git a/content/chainguard/chainguard-images/reference/istio-pilot/provenance_info.md b/content/chainguard/chainguard-images/reference/istio-pilot/provenance_info.md index 1e47f8bebd..719fe8a4d4 100644 --- a/content/chainguard/chainguard-images/reference/istio-pilot/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/istio-pilot/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for istio-pilot Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **istio-pilot** Chainguard Images are signed using Sigstore, and you can che The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/istio-pilot | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/istio-pilot | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the istio-p | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-pilot image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-pilot image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/istio-pilot + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/istio-pilot ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/istio-pilot/tags_history.md b/content/chainguard/chainguard-images/reference/istio-pilot/tags_history.md index d08b802ab9..8e9fcaec9d 100644 --- a/content/chainguard/chainguard-images/reference/istio-pilot/tags_history.md +++ b/content/chainguard/chainguard-images/reference/istio-pilot/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the istio-pilot Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:9fef180c54b616bfaf5d3bb93e05b99ef6479ffd81f2f2e5cc68731cb048dc1b` | -| `latest-dev` | November 29th | `sha256:efa288b816f4909cefc5e10cef01b89ca1386dd421243cf7617cd6c7919f8824` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:774de4d274351fdd6c82cae605f8b64c9f2e7c89ae0c7f8bef3aa252c8a95552` | +| `latest` | December 6th | `sha256:2017751aa2423a3ab4bbaa5c381b208dce16911cccb072ddbe5e95692d1121b7` | diff --git a/content/chainguard/chainguard-images/reference/istio-proxy/provenance_info.md b/content/chainguard/chainguard-images/reference/istio-proxy/provenance_info.md index 70e69fe8cd..e765be02d3 100644 --- a/content/chainguard/chainguard-images/reference/istio-proxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/istio-proxy/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for istio-proxy Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **istio-proxy** Chainguard Images are signed using Sigstore, and you can che The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/istio-proxy | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/istio-proxy | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the istio-p | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-proxy image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the istio-proxy image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/istio-proxy + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/istio-proxy ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/istio-proxy/tags_history.md b/content/chainguard/chainguard-images/reference/istio-proxy/tags_history.md index 0e474b40e3..7ae2e770b3 100644 --- a/content/chainguard/chainguard-images/reference/istio-proxy/tags_history.md +++ b/content/chainguard/chainguard-images/reference/istio-proxy/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the istio-proxy Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:318a92bf7cb97a38ee91aad976a3f079a7424dc11bd1c604c0857f695d0d3f01` | -| `latest-dev` | November 29th | `sha256:e05e05eca5708f32cdecb8c83106302773b5f2b26ca2b6ce9299ce6d05bf24ba` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:9c07d73caa2a50e096fd50f69d05b72021ffdebf4c687f1ed2068020eb0e7651` | +| `latest-dev` | December 6th | `sha256:f97fc024e8e535e1556336a4b3c2e08e1c20af8e7b86eed44f7f957ca95835ee` | diff --git a/content/chainguard/chainguard-images/reference/jdk-lts/provenance_info.md b/content/chainguard/chainguard-images/reference/jdk-lts/provenance_info.md index 7e3939de25..866df990fb 100644 --- a/content/chainguard/chainguard-images/reference/jdk-lts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jdk-lts/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for jdk-lts Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **jdk-lts** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/jdk-lts | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jdk-lts | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the jdk-lts | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jdk-lts image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jdk-lts image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/jdk-lts + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jdk-lts ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/jdk-lts/tags_history.md b/content/chainguard/chainguard-images/reference/jdk-lts/tags_history.md index fc020f8e7f..2e76663c48 100644 --- a/content/chainguard/chainguard-images/reference/jdk-lts/tags_history.md +++ b/content/chainguard/chainguard-images/reference/jdk-lts/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the jdk-lts Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:0d55c5e79b51110eb8d6087240196d73d0e1db567f4ff37e1b8536d9c5b7c642` | -| `latest-dev` | November 29th | `sha256:607ba0c8fd1c6b73b23c999e82e27e442df2daab2875fe965491a3e62f0834af` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:9e6777c135b11b320e314584e06631f0f0cf65e679e4d060ca0afab4dfac5d14` | +| `latest` | December 6th | `sha256:64b455743ef79024ad92257221e7b4408f92159d2ddf0a28a9882fa9ff517dbe` | diff --git a/content/chainguard/chainguard-images/reference/jdk/provenance_info.md b/content/chainguard/chainguard-images/reference/jdk/provenance_info.md index 2a21471a91..3c3869ddbd 100644 --- a/content/chainguard/chainguard-images/reference/jdk/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jdk/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for jdk Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **jdk** Chainguard Images are signed using Sigstore, and you can check the i The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/jdk | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jdk | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the jdk ima | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jdk image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jdk image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/jdk + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jdk ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/jdk/tags_history.md b/content/chainguard/chainguard-images/reference/jdk/tags_history.md index 162bba6ffb..bc151535a4 100644 --- a/content/chainguard/chainguard-images/reference/jdk/tags_history.md +++ b/content/chainguard/chainguard-images/reference/jdk/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the jdk Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:fa5f2cecd4b401cacf584f4cffa8c5ae7cd0c6fd440ca7c96822d73ec838abed` | -| `latest-dev` | November 29th | `sha256:0d7e162cb885d763815a05ac3aa45c7b86273f62d3530ccef0a2141dc242b9a1` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:fd25c38b9c9a829f6bf850b51bb93c5d2afd5c4f0e578c4ad5a1c3e776c2c803` | +| `latest-dev` | December 6th | `sha256:36bb3726233cedb7c003b328fb682f7be5ecfa4cdf3936427a290fbcf8a0b5a6` | diff --git a/content/chainguard/chainguard-images/reference/jenkins/provenance_info.md b/content/chainguard/chainguard-images/reference/jenkins/provenance_info.md index 848b24a41e..acbee410a5 100644 --- a/content/chainguard/chainguard-images/reference/jenkins/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jenkins/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for jenkins Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **jenkins** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/jenkins | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jenkins | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the jenkins | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jenkins image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jenkins image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/jenkins + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jenkins ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/jenkins/tags_history.md b/content/chainguard/chainguard-images/reference/jenkins/tags_history.md index 5afca4e30b..704d90f0b5 100644 --- a/content/chainguard/chainguard-images/reference/jenkins/tags_history.md +++ b/content/chainguard/chainguard-images/reference/jenkins/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the jenkins Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:caa04a838978b45d544ecb5f472dd6f610e60f612a336716c46ebf6003353fe9` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:7c72585608d92de0e76a6ca9b146ba1dfab66cf747f4e9bf999cff4dfb3824f9` | diff --git a/content/chainguard/chainguard-images/reference/jre-lts/provenance_info.md b/content/chainguard/chainguard-images/reference/jre-lts/provenance_info.md index 65195c79da..55e44f9373 100644 --- a/content/chainguard/chainguard-images/reference/jre-lts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jre-lts/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for jre-lts Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **jre-lts** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/jre-lts | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jre-lts | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the jre-lts | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jre-lts image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jre-lts image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/jre-lts + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jre-lts ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/jre-lts/tags_history.md b/content/chainguard/chainguard-images/reference/jre-lts/tags_history.md index 8f60f59774..879990c823 100644 --- a/content/chainguard/chainguard-images/reference/jre-lts/tags_history.md +++ b/content/chainguard/chainguard-images/reference/jre-lts/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the jre-lts Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:9f6cf1c2649d5158cd115d70c103279ffc4554c78b7bf0ca62be134415a5fcfb` | -| `latest-dev` | November 29th | `sha256:9294506c405fd3af91858ef347afc499f6bfbe9551b88cfbe48c6a23f32ba955` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:b834439f8a0b57da6fdd7604a6acd3a55ab99da80d6c15c18bcc8bb0c3abb458` | +| `latest` | December 6th | `sha256:9707fb8aa8a1b5dd2c104e4178e5d21702e6ded82b8e02c7f990d6de6af94c61` | diff --git a/content/chainguard/chainguard-images/reference/jre/provenance_info.md b/content/chainguard/chainguard-images/reference/jre/provenance_info.md index a31eb95ad3..d6f1225aa6 100644 --- a/content/chainguard/chainguard-images/reference/jre/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/jre/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for jre Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **jre** Chainguard Images are signed using Sigstore, and you can check the i The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/jre | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jre | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the jre ima | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jre image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the jre image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/jre + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/jre ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/jre/tags_history.md b/content/chainguard/chainguard-images/reference/jre/tags_history.md index 013f62e3e6..318ec566b5 100644 --- a/content/chainguard/chainguard-images/reference/jre/tags_history.md +++ b/content/chainguard/chainguard-images/reference/jre/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the jre Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:7e2d9350c60b24097d96010c91ed6d3a3dfd6f34a346561b92a98eefd0a37574` | -| `latest` | November 29th | `sha256:91390531d4eeb80e095a2e286d10dc03fd8a12e9f11f2ff9259294c4a5341818` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:0e35b10681815dc4ab9f624655e574d40c20c4fbefe3fa259a3d68147682cd7e` | +| `latest` | December 6th | `sha256:1f0dacefde082307e9f7a6819bb2ccc6fa451dcce819f35910b31a4b3af9e571` | diff --git a/content/chainguard/chainguard-images/reference/k3s-allinone/provenance_info.md b/content/chainguard/chainguard-images/reference/k3s-allinone/provenance_info.md index 9dfe879154..f94f834654 100644 --- a/content/chainguard/chainguard-images/reference/k3s-allinone/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k3s-allinone/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for k3s-allinone Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **k3s-allinone** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/k3s-allinone | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k3s-allinone | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the k3s-all | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k3s-allinone image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k3s-allinone image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/k3s-allinone + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k3s-allinone ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/k3s-allinone/tags_history.md b/content/chainguard/chainguard-images/reference/k3s-allinone/tags_history.md index 98fdada670..4c6f5fa7f6 100644 --- a/content/chainguard/chainguard-images/reference/k3s-allinone/tags_history.md +++ b/content/chainguard/chainguard-images/reference/k3s-allinone/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the k3s-allinone Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2c50a45082ca196b3c007aa21aa8730ea244ec0f27d05706be6b52ec5e13547d` | -| `latest-dev` | November 29th | `sha256:48c9931b6a5d423e19bd7ae592c71173e01a343a18a62e32986d08559a161c99` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:fdfd62df29531622285d52438607317fe374623c936f3d8da1c183364b44e91d` | +| `latest-dev` | December 6th | `sha256:03b29d210b230b0f7e76d8e48536cf0e6545ff47718248bda53830227ac75732` | diff --git a/content/chainguard/chainguard-images/reference/k3s/provenance_info.md b/content/chainguard/chainguard-images/reference/k3s/provenance_info.md index d11060fd3c..bf1f6820ef 100644 --- a/content/chainguard/chainguard-images/reference/k3s/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k3s/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for k3s Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **k3s** Chainguard Images are signed using Sigstore, and you can check the i The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/k3s | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k3s | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the k3s ima | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k3s image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k3s image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/k3s + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k3s ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/k3s/tags_history.md b/content/chainguard/chainguard-images/reference/k3s/tags_history.md index d70766bfc6..733d196fd4 100644 --- a/content/chainguard/chainguard-images/reference/k3s/tags_history.md +++ b/content/chainguard/chainguard-images/reference/k3s/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the k3s Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:215dd8f7f7f1cda2c810cf38562c585f5f880303661b76abe353650773c8c21e` | -| `latest` | November 29th | `sha256:59b474679ca2359ec8741e06fe39a8390b905162aaee6690b524f5e60e713b41` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:7eecd5a2ef8671b42ee677f52358c573ec3eeacc8e5e1b10552a1a0e55b399fa` | +| `latest` | December 6th | `sha256:030b47f5eaf11466cc33a7c3f26ae9037e0d6a083d0e64b9083721e122d81ba9` | diff --git a/content/chainguard/chainguard-images/reference/k8s-sidecar/provenance_info.md b/content/chainguard/chainguard-images/reference/k8s-sidecar/provenance_info.md index 0d5f574f93..686fe164c9 100644 --- a/content/chainguard/chainguard-images/reference/k8s-sidecar/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k8s-sidecar/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for k8s-sidecar Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **k8s-sidecar** Chainguard Images are signed using Sigstore, and you can che The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/k8s-sidecar | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k8s-sidecar | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the k8s-sid | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k8s-sidecar image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k8s-sidecar image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/k8s-sidecar + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k8s-sidecar ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/k8s-sidecar/tags_history.md b/content/chainguard/chainguard-images/reference/k8s-sidecar/tags_history.md index 8363b1b99e..fb7d51b03b 100644 --- a/content/chainguard/chainguard-images/reference/k8s-sidecar/tags_history.md +++ b/content/chainguard/chainguard-images/reference/k8s-sidecar/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the k8s-sidecar Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:60e37a8ced1e60df2be2239a1311c0e820724736a148375dd8bdcc2c707314ef` | -| `latest-dev` | November 29th | `sha256:7b086060756aab1da92fbe3e9a1179436f90983eb51855666048bdb54eb7d87a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:4bd0f1cd7fd092f1a09765bc346a09549272084f14591adebb616cff4b1e562a` | +| `latest` | December 6th | `sha256:17a7ee0414822a696e3e0e87269974bf8c8e3642bdef5529b720d0afa178b12a` | diff --git a/content/chainguard/chainguard-images/reference/k8sgpt-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/k8sgpt-operator/provenance_info.md index fb0d8c001e..0dfdd7c735 100644 --- a/content/chainguard/chainguard-images/reference/k8sgpt-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k8sgpt-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for k8sgpt-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **k8sgpt-operator** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/k8sgpt-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k8sgpt-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the k8sgpt- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k8sgpt-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k8sgpt-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/k8sgpt-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k8sgpt-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/k8sgpt-operator/tags_history.md b/content/chainguard/chainguard-images/reference/k8sgpt-operator/tags_history.md index 44d96e69c0..ddde916756 100644 --- a/content/chainguard/chainguard-images/reference/k8sgpt-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/k8sgpt-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the k8sgpt-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:e1dcf2400e1078f61a4362282d62f39411cff7162a91992ac078fc530acd672e` | -| `latest` | November 29th | `sha256:ba4ba74409fc53a94a36c09f5aa09e518e987e560e469b7393b8cdc13767e1f5` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:8e091c7b3b5dd7838d9069414f3c0e127b1d1825ed133a5526c24beba775f929` | +| `latest-dev` | December 6th | `sha256:9bf39d852da96a4fb0c83a243f283e619de6be269194fd716355d9931fc3bf70` | diff --git a/content/chainguard/chainguard-images/reference/k8sgpt/provenance_info.md b/content/chainguard/chainguard-images/reference/k8sgpt/provenance_info.md index fb24f70889..194d1d0693 100644 --- a/content/chainguard/chainguard-images/reference/k8sgpt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/k8sgpt/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for k8sgpt Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **k8sgpt** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/k8sgpt | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k8sgpt | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the k8sgpt | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k8sgpt image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the k8sgpt image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/k8sgpt + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/k8sgpt ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/k8sgpt/tags_history.md b/content/chainguard/chainguard-images/reference/k8sgpt/tags_history.md index 64cb49bb1e..40cdf9339e 100644 --- a/content/chainguard/chainguard-images/reference/k8sgpt/tags_history.md +++ b/content/chainguard/chainguard-images/reference/k8sgpt/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the k8sgpt Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:04900ed7c4ce20c209f139e2102111e3e37abf7fe27a000914ee2689a06fd535` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:25a367cefc1ebc8d9bfe28585513c833543d86856ffe2e81d65a97e59c345100` | diff --git a/content/chainguard/chainguard-images/reference/kafka/provenance_info.md b/content/chainguard/chainguard-images/reference/kafka/provenance_info.md index 1199f14d19..5960f04a9a 100644 --- a/content/chainguard/chainguard-images/reference/kafka/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kafka/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kafka Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kafka** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kafka | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kafka | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kafka i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kafka image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kafka image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kafka + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kafka ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kafka/tags_history.md b/content/chainguard/chainguard-images/reference/kafka/tags_history.md index 6f2473b8d9..d8d83bb458 100644 --- a/content/chainguard/chainguard-images/reference/kafka/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kafka/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kafka Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:52e4054603175bc75fdb30bd02cb4ead66ec27a87d093212d50af669666c3a35` | -| `latest-dev` | November 29th | `sha256:56e0381ddac4cc7abbd2c827bf6a2bbf5f30cb97cd3348b82a9afa3664b0dd1d` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:42216801100b9180b4b9688a91f1a214268f90d75b5089472adf41fe40454a60` | +| `latest` | December 6th | `sha256:2b2cbdaa8d856d8c40c74dfe2a2009dc0c900df615b54c33d696deea52cbf9d8` | diff --git a/content/chainguard/chainguard-images/reference/karpenter/provenance_info.md b/content/chainguard/chainguard-images/reference/karpenter/provenance_info.md index 99d5420851..eb1276773b 100644 --- a/content/chainguard/chainguard-images/reference/karpenter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/karpenter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for karpenter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **karpenter** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/karpenter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/karpenter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the karpent | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the karpenter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the karpenter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/karpenter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/karpenter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/karpenter/tags_history.md b/content/chainguard/chainguard-images/reference/karpenter/tags_history.md index 29fbccbc32..6fe25b7cbd 100644 --- a/content/chainguard/chainguard-images/reference/karpenter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/karpenter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the karpenter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:a9224368a8f1c80084dcf691f2c18ceb59df0c2be394105ac717954050a76990` | -| `latest-dev` | November 29th | `sha256:2d89e6ad00e2a3688f84ea32148727dc3745875c302344af3a80da5cf8bec201` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:6c99fbde89d68d9147e5b20feffffca64af9cf9690adbd240c42ddd69cacd806` | +| `latest` | December 6th | `sha256:13e79abaf3f1ff98658e34df1fb262746309149124ae26bb0b1c32c3522c8212` | diff --git a/content/chainguard/chainguard-images/reference/keda-adapter/provenance_info.md b/content/chainguard/chainguard-images/reference/keda-adapter/provenance_info.md index 03bd175040..291ed1b649 100644 --- a/content/chainguard/chainguard-images/reference/keda-adapter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/keda-adapter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for keda-adapter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **keda-adapter** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/keda-adapter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/keda-adapter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the keda-ad | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keda-adapter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keda-adapter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/keda-adapter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/keda-adapter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/keda-adapter/tags_history.md b/content/chainguard/chainguard-images/reference/keda-adapter/tags_history.md index 15e2fff5d7..a75f89d3c8 100644 --- a/content/chainguard/chainguard-images/reference/keda-adapter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/keda-adapter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the keda-adapter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:87cb0731bdf1cf5118a6266524048cc44438b46f3c6e14b0d7b5c9924a8cb4c0` | -| `latest` | November 29th | `sha256:48310f3308306053c706cda3f111ed6d3d3200ef499b625d6fd463fe9f4970f2` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:1d2f8ce878550ba9ea7f18bf01a235f02bbddb22df286bf148a1a34d5e8fb1d4` | +| `latest` | December 6th | `sha256:de4005f8264826444d9aafcff6922e313200e8bcfea2e9a81f252e8430d8eb07` | diff --git a/content/chainguard/chainguard-images/reference/keda-admission-webhooks/provenance_info.md b/content/chainguard/chainguard-images/reference/keda-admission-webhooks/provenance_info.md index 4f8cb7e769..acd6dd80b4 100644 --- a/content/chainguard/chainguard-images/reference/keda-admission-webhooks/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/keda-admission-webhooks/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for keda-admission-webhooks Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **keda-admission-webhooks** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/keda-admission-webhooks | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/keda-admission-webhooks | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the keda-ad | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keda-admission-webhooks image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keda-admission-webhooks image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/keda-admission-webhooks + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/keda-admission-webhooks ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/keda-admission-webhooks/tags_history.md b/content/chainguard/chainguard-images/reference/keda-admission-webhooks/tags_history.md index e44be9cbfc..f750224c01 100644 --- a/content/chainguard/chainguard-images/reference/keda-admission-webhooks/tags_history.md +++ b/content/chainguard/chainguard-images/reference/keda-admission-webhooks/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the keda-admission-webhooks Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2054698eb27d1329280f8b1f2904770a3a09cc68f250fc3b53e2259a62070309` | -| `latest-dev` | November 29th | `sha256:23d82a13a01136a0328f90b755cceed6e3a89c19a8ef2b6c197b65a746c09856` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:1558c52760b7292dc02113ed4fde1d8fb58c419181d3bd7c5853b102150aeee8` | +| `latest-dev` | December 6th | `sha256:b65aa386c195b9906608cd0ae391d367838ef0511ec5247b3a4d23d2713496b1` | diff --git a/content/chainguard/chainguard-images/reference/keda/provenance_info.md b/content/chainguard/chainguard-images/reference/keda/provenance_info.md index 3fdf3971d4..9f7afe8349 100644 --- a/content/chainguard/chainguard-images/reference/keda/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/keda/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for keda Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **keda** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/keda | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/keda | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the keda im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keda image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keda image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/keda + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/keda ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/keda/tags_history.md b/content/chainguard/chainguard-images/reference/keda/tags_history.md index fbde2974c5..a79313ea5f 100644 --- a/content/chainguard/chainguard-images/reference/keda/tags_history.md +++ b/content/chainguard/chainguard-images/reference/keda/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the keda Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:52ce0d411e10818b6a8290ecbf9a983119712e5bf19afa8815259bdf00b8d6a4` | -| `latest` | November 29th | `sha256:e87108663c65c58336da58458f31ab044b55c1d54130d9672c389c45eefa1235` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:5a7b6dd885f92dbcd3ba682b1de86fbdf8cc2517d9a7d78bd3c5a4d4e9629069` | +| `latest` | December 6th | `sha256:7000f69155a78ad9c0bb7c8f0bd03d4694b7fd090cd6326c7cfc7980e6207df3` | diff --git a/content/chainguard/chainguard-images/reference/keycloak/provenance_info.md b/content/chainguard/chainguard-images/reference/keycloak/provenance_info.md index df87147a75..9cb8302f4e 100644 --- a/content/chainguard/chainguard-images/reference/keycloak/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/keycloak/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for keycloak Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **keycloak** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/keycloak | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/keycloak | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the keycloa | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keycloak image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the keycloak image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/keycloak + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/keycloak ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/keycloak/tags_history.md b/content/chainguard/chainguard-images/reference/keycloak/tags_history.md index a8cc3c234a..d1916d866f 100644 --- a/content/chainguard/chainguard-images/reference/keycloak/tags_history.md +++ b/content/chainguard/chainguard-images/reference/keycloak/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the keycloak Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:018ca71835f40fde96ed0a85f62172eaaac834a56dac5bf3090f45c43c50548a` | -| `latest-dev` | November 29th | `sha256:daf49cc9a153ab7603cc6247a6a032498c26c8ff1b4e9c2ad60c21e77e235c05` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:c38c4d70abe74a83e1849d7c9d289c963499f3a13188000260ca8741074f3390` | +| `latest` | December 6th | `sha256:20cc66328547e1f8c7504308f4b135ea8224950ee84e935a3e18eedb222e4c3b` | diff --git a/content/chainguard/chainguard-images/reference/ko/provenance_info.md b/content/chainguard/chainguard-images/reference/ko/provenance_info.md index 4b94071205..a6f33fa7b2 100644 --- a/content/chainguard/chainguard-images/reference/ko/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ko/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for ko Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **ko** Chainguard Images are signed using Sigstore, and you can check the in The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/ko | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ko | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the ko imag | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ko image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ko image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/ko + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ko ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/ko/tags_history.md b/content/chainguard/chainguard-images/reference/ko/tags_history.md index bcce568d00..0b2fc0f84c 100644 --- a/content/chainguard/chainguard-images/reference/ko/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ko/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the ko Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:0622559c2d74b77f54bb889a6742212e01bbf8f8342c6e88f8c328cefa0ee376` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:695d35641d7fc935d5a0c397c0dcfdb160fc2fa5c4af5b31b9f9e7b8ef903d84` | diff --git a/content/chainguard/chainguard-images/reference/kor/provenance_info.md b/content/chainguard/chainguard-images/reference/kor/provenance_info.md index a4f75a7b82..2bfe1cf2f4 100644 --- a/content/chainguard/chainguard-images/reference/kor/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kor/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kor Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kor** Chainguard Images are signed using Sigstore, and you can check the i The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kor | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kor | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kor ima | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kor image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kor image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kor + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kor ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kor/tags_history.md b/content/chainguard/chainguard-images/reference/kor/tags_history.md index e4f2e8eeee..cb5bb717aa 100644 --- a/content/chainguard/chainguard-images/reference/kor/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kor/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kor Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:f85fe808307588be64f4d96fb7cddac927a5c68fb8e29b584dbd88070f1a70fb` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:1c70fe9d3e2aee75e14d99f9fb4d677074793f34d1f56eba193b85afb057b59c` | diff --git a/content/chainguard/chainguard-images/reference/kube-bench/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-bench/provenance_info.md index f4f0d5f340..8baf377698 100644 --- a/content/chainguard/chainguard-images/reference/kube-bench/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-bench/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kube-bench Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kube-bench** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kube-bench | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-bench | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kube-be | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-bench image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-bench image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kube-bench + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-bench ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kube-bench/tags_history.md b/content/chainguard/chainguard-images/reference/kube-bench/tags_history.md index d380db0d82..aee0356dbc 100644 --- a/content/chainguard/chainguard-images/reference/kube-bench/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kube-bench/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kube-bench Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:6373e7d5eff6cee43b2dc11cc8302b896169ac682a65d91b21fb1bb9842f8b6f` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:d9bf3615a85660b8d8fe00eac8e0551f9562e26d4ce19fd35cfd6a530b3b6725` | diff --git a/content/chainguard/chainguard-images/reference/kube-downscaler/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-downscaler/provenance_info.md index d0be9bd267..3280c2385a 100644 --- a/content/chainguard/chainguard-images/reference/kube-downscaler/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-downscaler/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kube-downscaler Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kube-downscaler** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kube-downscaler | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-downscaler | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kube-do | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-downscaler image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-downscaler image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kube-downscaler + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-downscaler ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kube-downscaler/tags_history.md b/content/chainguard/chainguard-images/reference/kube-downscaler/tags_history.md index 5e31939d9d..5dc4880fd0 100644 --- a/content/chainguard/chainguard-images/reference/kube-downscaler/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kube-downscaler/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kube-downscaler Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:3e3a3d787f583546b051e74900a52be2b744f600fd9b940b69755d671bf0185a` | -| `latest` | November 29th | `sha256:b42fe0a6d6d2291472cb218b94fb37329be0eb9f4caf77b460e6987d78c89411` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:2b323276c4fa23226e01af9e33a6179bcd5433b34ac50a985d4e9ac84cda0068` | +| `latest` | December 6th | `sha256:7da238b0a91d225d5916143d699c20f7bd95740d8dc3efca00d8b633bcd6cf20` | diff --git a/content/chainguard/chainguard-images/reference/kube-fluentd-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-fluentd-operator/provenance_info.md index 67408caa65..039cdec4dd 100644 --- a/content/chainguard/chainguard-images/reference/kube-fluentd-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-fluentd-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kube-fluentd-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kube-fluentd-operator** Chainguard Images are signed using Sigstore, and y The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kube-fluentd-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-fluentd-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kube-fl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-fluentd-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-fluentd-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kube-fluentd-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-fluentd-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kube-fluentd-operator/tags_history.md b/content/chainguard/chainguard-images/reference/kube-fluentd-operator/tags_history.md index 4c0fd944af..3ac69fa550 100644 --- a/content/chainguard/chainguard-images/reference/kube-fluentd-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kube-fluentd-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kube-fluentd-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:4fe057c32b4b30b56fc41ae8e9acce31769efc657731bf98dc1d677131f094b3` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:5a9e1e2b5b92662f4dad402eba3eb5afd70b5a23f2d06dcdcc4dfec19aeb1a28` | diff --git a/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/provenance_info.md index 59b2af2b50..0506cb6792 100644 --- a/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kube-logging-operator-fluentd Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kube-logging-operator-fluentd** Chainguard Images are signed using Sigstor The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kube-logging-operator-fluentd | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-logging-operator-fluentd | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kube-lo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-logging-operator-fluentd image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-logging-operator-fluentd image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kube-logging-operator-fluentd + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-logging-operator-fluentd ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/tags_history.md b/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/tags_history.md index a625e1285e..ed790adae3 100644 --- a/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kube-logging-operator-fluentd/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kube-logging-operator-fluentd Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3ae58bb4be323fd58050f130ac892eae8e7220f2e9a1f183654d1fc7136498dd` | -| `latest-dev` | November 29th | `sha256:014a7475ff3b2184e123cade09344c7f5d5378a549f0e035bd8587bd3908b749` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:76039832849bfa42c3a1b358d5073fe940111f5e4fd834de8fbd973f0a9c0348` | +| `latest` | December 6th | `sha256:4ca4d3e88333f844d5fe0ceb88e1782bc6929aafa557914dd236b3180deac54b` | diff --git a/content/chainguard/chainguard-images/reference/kube-logging-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-logging-operator/provenance_info.md index 22a55472d7..20b449aaa7 100644 --- a/content/chainguard/chainguard-images/reference/kube-logging-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-logging-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kube-logging-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kube-logging-operator** Chainguard Images are signed using Sigstore, and y The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kube-logging-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-logging-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kube-lo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-logging-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-logging-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kube-logging-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-logging-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kube-logging-operator/tags_history.md b/content/chainguard/chainguard-images/reference/kube-logging-operator/tags_history.md index 0a8c7b8593..e6a607e332 100644 --- a/content/chainguard/chainguard-images/reference/kube-logging-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kube-logging-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kube-logging-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2d41601dbdbd4c7bba1e7c270d69ddef06d15c1efedf23b0fd3736461f510757` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:87e7282429b1fdba18d505d9be279db74f4e132d4b8e6480e7350aa6635327c3` | diff --git a/content/chainguard/chainguard-images/reference/kube-state-metrics/provenance_info.md b/content/chainguard/chainguard-images/reference/kube-state-metrics/provenance_info.md index a318e31e52..0258dc205a 100644 --- a/content/chainguard/chainguard-images/reference/kube-state-metrics/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kube-state-metrics/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kube-state-metrics Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kube-state-metrics** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kube-state-metrics | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-state-metrics | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kube-st | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-state-metrics image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kube-state-metrics image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kube-state-metrics + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kube-state-metrics ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kube-state-metrics/tags_history.md b/content/chainguard/chainguard-images/reference/kube-state-metrics/tags_history.md index c165052a77..dcee9fd0da 100644 --- a/content/chainguard/chainguard-images/reference/kube-state-metrics/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kube-state-metrics/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kube-state-metrics Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d49dfa49e0bc8f73978b982336029fdf152e4aa3e90ee9f1fbb5e5dbc89ec134` | -| `latest-dev` | November 29th | `sha256:b9afc81094d42d436baa30cd7503703ad0864529690f20ccec8c0d566128ad9d` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:8a36847ab0021cc8ec8099e4536618adc3be8dba16cd7398b01ff25a8e5d77a2` | +| `latest` | December 6th | `sha256:00eccdc47c8e7412c7c42bc459c9ef7f846dcbd6d2c45e33f974a48d5e89901e` | diff --git a/content/chainguard/chainguard-images/reference/kubectl/image_specs.md b/content/chainguard/chainguard-images/reference/kubectl/image_specs.md index dca2affb43..f7ae6868cc 100644 --- a/content/chainguard/chainguard-images/reference/kubectl/image_specs.md +++ b/content/chainguard/chainguard-images/reference/kubectl/image_specs.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Detailed information about the public kubectl Chainguard Image variants" date: 2023-03-07T11:07:52+02:00 -lastmod: 2023-03-07T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -54,6 +54,7 @@ The table shows package distribution across variants. | `glibc-locale-posix` | X | | | `kubectl-1.28` | X | X | | `kubectl-1.28-default` | X | X | +| `kustomize` | X | | | `ld-linux` | X | | | `libbrotlicommon1` | X | | | `libbrotlidec1` | X | | diff --git a/content/chainguard/chainguard-images/reference/kubectl/provenance_info.md b/content/chainguard/chainguard-images/reference/kubectl/provenance_info.md index 77e615801c..a8c9e84223 100644 --- a/content/chainguard/chainguard-images/reference/kubectl/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubectl/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubectl Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubectl** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubectl | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubectl | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubectl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubectl image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubectl image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubectl + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubectl ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubectl/tags_history.md b/content/chainguard/chainguard-images/reference/kubectl/tags_history.md index df636e6a91..ebdc86fddc 100644 --- a/content/chainguard/chainguard-images/reference/kubectl/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubectl/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubectl Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:4aeb1bf76afa557037534adb85a4b2eccbded8ed474556ac766fa6cff8d5b901` | -| `latest-dev` | November 29th | `sha256:5a202d11e75494ddf8694b164b78f682ad0e06f5722fbe80b1fa68e54884ca04` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 5th | `sha256:fb99b4e0b7e6f08eeba20041f356f2bfefd0c140e19126b1f58389a9153c4b41` | +| `latest-dev` | December 5th | `sha256:75fc550ed3736e718e8b657e8c61e67c6924120068f86d540ff12ad405d3f5ee` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/provenance_info.md index 8143c1a376..b545640b8e 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-jupyter-web-app Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-jupyter-web-app** Chainguard Images are signed using Sigstore, an The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-jupyter-web-app | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-jupyter-web-app | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-jupyter-web-app image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-jupyter-web-app image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-jupyter-web-app + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-jupyter-web-app ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/tags_history.md index 3a9bfd4b22..b0cdd52cdc 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-jupyter-web-app/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-jupyter-web-app Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:a3791c58b71445b75104b363d4f60e19d8cb031ee4560c2dcee82f51f3034840` | -| `latest-dev` | November 29th | `sha256:0f18cc8ec3d99d84411878f7f8e1bb4bbbc4c0b637ca68a4b63befc5fbb87586` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:a4dd8c86c923649169f6adf8ad7da9bb55a479364a92bd323015f53291a4e351` | +| `latest-dev` | December 6th | `sha256:a99a288f72041eedf3a6851700a745b5cfb754a4de83e570f65bf859bac18e63` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/provenance_info.md index e4848558a0..175451063e 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-controller** Chainguard Images are signed using Sigstore, a The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/tags_history.md index b0a92dc31b..4bca3c90d2 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3f51f2d1da54db17f90729c448ee4e87dc51219fd833294886e6d10936a1043b` | -| `latest-dev` | November 29th | `sha256:1e5014eeab4f7a567d40dc6fe19dfa6c825c39d2248c583d20db87302396b72c` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:02fbc03287ec0aba4bbd787e850426cfc0d87211517c2e12487749f20cb723a6` | +| `latest` | December 6th | `sha256:72db0cb62c064fca678eee67d78eb0ded261ee487fda069ffc7b294c2f375354` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/provenance_info.md index 63f0c6337a..5c8ba09bb7 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-db-manager Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-db-manager** Chainguard Images are signed using Sigstore, a The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-db-manager | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-db-manager | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-db-manager image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-db-manager image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-db-manager + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-db-manager ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/tags_history.md index 9829255cc0..9b4c865566 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-db-manager/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-db-manager Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:51ea51a75cd39fcc480de29fd9dae72b15bafb84bf373cb0a131fa5b582608aa` | -| `latest` | November 29th | `sha256:6135391d0841a79c0ded89e4dc79f615fde975505e3c312526cd9f949d854922` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:29e4c9fdf42b0f6b85130ecfaf543bf86eaa5a6d59c0b4c0235c658c0f334773` | +| `latest` | December 6th | `sha256:84d9d0983020b1ed8a2e497d611fb2a3b807e0fb1b999acd67b42c53ae6bc55e` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/provenance_info.md index 374658c6c6..76e2f1d234 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-earlystopping-medianstop Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-earlystopping-medianstop** Chainguard Images are signed usi The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-earlystopping-medianstop | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-earlystopping-medianstop | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-earlystopping-medianstop image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-earlystopping-medianstop image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-earlystopping-medianstop + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-earlystopping-medianstop ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/tags_history.md index 906481384d..a25876281e 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-earlystopping-medianstop/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-earlystopping-medianstop Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:c6f56f433a865a37b8d40aedd984a62bd0dd222d5287c1d80966f442df9346c0` | -| `latest` | November 29th | `sha256:818c3e582d37ac1609fceb65f97fd29dcc54c5b88ee8c4bf8c93d35088b0ff47` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:2a85a1a009b0512d3368ffc9dcd3994376a34f180e2b304267d4195c427a55e0` | +| `latest-dev` | December 6th | `sha256:d6a92ba22121aa55513a11f85900cbb91a068cb228edeb2ab5b458cf4942207e` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/provenance_info.md index 03095c3595..1324ef9ab6 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-file-metrics-collector Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-file-metrics-collector** Chainguard Images are signed using The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-file-metrics-collector | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-file-metrics-collector | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-file-metrics-collector image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-file-metrics-collector image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-file-metrics-collector + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-file-metrics-collector ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/tags_history.md index 4b2bd6cb54..c92affa2d3 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-file-metrics-collector/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-file-metrics-collector Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:70c0018057dcf19b184c9917e2425dfa8a31f5a7d8132382b2c692b02e25cb4a` | -| `latest-dev` | November 29th | `sha256:d29a2b568ce4df8868e1d838a2bf916d3c52c157e89faccb18e3f910db42cfbe` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f6b3449d14acf02b1741eafe2c3fc55d12311952db94058e3d785b50198cf06e` | +| `latest-dev` | December 6th | `sha256:69bc83d3b6421c691bb6697eb2edc5c63f0a0a40105c2fcdbf0bb40fcedba41c` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/provenance_info.md index 6200a82a58..5b46adb6f8 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-suggestion-darts Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-suggestion-darts** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-suggestion-darts | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-darts | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-darts image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-darts image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-suggestion-darts + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-darts ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/tags_history.md index e1d7e6ba89..d99fe681ca 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-darts/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-suggestion-darts Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c0650174a5a837ead2e6504fd4eaeb80533dccbfb8d39fac7e82dbd59831324a` | -| `latest-dev` | November 29th | `sha256:dd2bdb68559efaa2f143e7d6e5769e43fc260a0e0e09e39380fa2323187919db` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:b0398075402ebb4ed55ed5648eed1a3dcb225e120a38811da3ac872e6bff119f` | +| `latest` | December 6th | `sha256:cd12cc9bd1c0001e9b30c29590eee3c7660a8406a2a23fccdeb21333973ae43d` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/provenance_info.md index a82aa6cf0e..61f18d33b1 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-suggestion-goptuna Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-suggestion-goptuna** Chainguard Images are signed using Sig The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-suggestion-goptuna | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-goptuna | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-goptuna image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-goptuna image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-suggestion-goptuna + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-goptuna ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/tags_history.md index 4497c931f8..d1a6b1fdec 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-goptuna/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-suggestion-goptuna Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:b13a6652c8c58b44632fd1cc0d267f4f90e6d15f7ee4001f5b0eeb4fda89b986` | -| `latest-dev` | November 29th | `sha256:30ad79ebd844ddf9683a1c6ad39a2395b796adbabbbb72ec94700065a6854b0c` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:bb91fad08266adf01e05b2722ddd39f556eae89609a44fad43b57baba5b30241` | +| `latest-dev` | December 6th | `sha256:17679812735115bcd43af844ec2c8933e0857141753d8312d70285959db5e908` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/provenance_info.md index 130560d024..4b388fd017 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-suggestion-hyperband Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-suggestion-hyperband** Chainguard Images are signed using S The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-suggestion-hyperband | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-hyperband | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-hyperband image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-hyperband image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-suggestion-hyperband + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-hyperband ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/tags_history.md index d77f4824c8..c10df35052 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperband/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-suggestion-hyperband Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:5e4ed07c65eebfd2dac277a9f52859a98c5de7dd8064edceee2b952168eb2394` | -| `latest` | November 29th | `sha256:021698a905f29b077de8c71551f926692cc092de9684a059798af8be10011181` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:b822c6c43cc65b53f56218d96176c460b44d115176620dfdf16f040ffb251a0c` | +| `latest-dev` | December 6th | `sha256:eba882c1dc2e6659ad26bb82ff670433fb4796796ad6036dd7d214976a994e9d` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/provenance_info.md index 0f9e3bf558..3ee4da46fc 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-suggestion-hyperopt Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-suggestion-hyperopt** Chainguard Images are signed using Si The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-suggestion-hyperopt | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-hyperopt | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-hyperopt image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-hyperopt image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-suggestion-hyperopt + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-hyperopt ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/tags_history.md index 8bcada2e22..f4fbca6383 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-hyperopt/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-suggestion-hyperopt Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d42af6dd445affb6d4c1c296df5f67f7ff79ba60027a31740d341844dd13cde8` | -| `latest-dev` | November 29th | `sha256:a92c594d9cba552ac3d1c73ec1b0cdd6760bad7281871d634b2fac22da1ea6a8` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:37f28af50b72d3c899cbf35302366dcc34fbb65424a3b06caabb18d2098f12b4` | +| `latest-dev` | December 6th | `sha256:44fa13bebf227eafaf76cf439de2390aa383941b847dd6cbd1f7e652b7639e8a` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/provenance_info.md index af8d64f110..2a77400314 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-suggestion-optuna Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-suggestion-optuna** Chainguard Images are signed using Sigs The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-suggestion-optuna | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-optuna | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-optuna image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-optuna image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-suggestion-optuna + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-optuna ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/tags_history.md index f47c5e0373..996de80abd 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-optuna/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-suggestion-optuna Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:d26249e7907e67e7c1b17bb0eb58a82398a98f421dabed67eafd040d6a68b85e` | -| `latest` | November 29th | `sha256:7f4f50756a1d33650d40704fa9f8d79790178b9cdf970144f62571bbd47adbc1` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:61192112ad26552811f11c095fb481c7eca3c9b14a893f547f260a2d9e4cce24` | +| `latest` | December 6th | `sha256:b99f6c476a064eee92a0ec7dd78c1d471099de779012377eb017caa227031458` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/provenance_info.md index e218fc2c4a..a7147ebc07 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-suggestion-pbt Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-suggestion-pbt** Chainguard Images are signed using Sigstor The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-suggestion-pbt | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-pbt | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-pbt image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-pbt image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-suggestion-pbt + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-pbt ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/tags_history.md index 0a87e219de..49ae07157d 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-pbt/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-suggestion-pbt Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:42f8bd17300e1681a77fdbf8be62fcf2b4dcc6f7bd2062405f976c8016f8f95a` | -| `latest-dev` | November 29th | `sha256:358cc99d7ac8f7dfd382f54ce73dfacb28c8ca3dfb88da5ebe688d406e1187ff` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:4043930ae5e7b27cb2a7639ffe86903d83fb0dd931e80d8df3f3917ddf262cec` | +| `latest` | December 6th | `sha256:87d80ce6f7670107a36e370e6a68df6cda08385abfb865f8beb838ee485dec50` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/provenance_info.md index c82e4f3603..3053199715 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-katib-suggestion-skopt Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-katib-suggestion-skopt** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-katib-suggestion-skopt | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-skopt | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-skopt image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-katib-suggestion-skopt image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-katib-suggestion-skopt + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-katib-suggestion-skopt ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/tags_history.md index ffa6edde38..e748652ae2 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-katib-suggestion-skopt/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-katib-suggestion-skopt Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:7954149764d6bbf9135af8e400182fdfee9f098730ab063548dc7f5bb35ca848` | -| `latest` | November 29th | `sha256:9de8dbec27441afea43a84bc991f40ed9d8e68521bde052ed407d1d2eb7cafed` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:75cdd855aff8472110752f423f7b66088fdce032a1cd980314726ea42c16df51` | +| `latest` | December 6th | `sha256:c36612963ad1e7166ca41a0b7ceaa4766d4fdd80a86ea0c940b4c2e95f3126df` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/provenance_info.md index 83ae164bda..4519c8ba65 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-pipelines-api-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-pipelines-api-server** Chainguard Images are signed using Sigstor The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-pipelines-api-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-api-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-api-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-api-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-pipelines-api-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-api-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/tags_history.md index e09733e690..dd2930445e 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-api-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-pipelines-api-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:87386439b971c23e59c16dbbf49b7f6470f9bd7a6046d8ee54c14a9af3641bef` | -| `latest-dev` | November 29th | `sha256:c2e1bc18f9ce46174bd060962e9e34e4942644567a83a09d9ed791526f823978` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:3c51d9ec4c18c0fba9bfbdefd0fb77738ae86a0b107cbb7e638de17dc3e20c70` | +| `latest-dev` | December 6th | `sha256:b5f3b96c805773df01ce8c3552c98f3df6f12b628c0c1d8a490e73a59fb5e7e4` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/provenance_info.md index 3ce0d081a7..acf05bb263 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-pipelines-cache-deployer Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-pipelines-cache-deployer** Chainguard Images are signed using Sig The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-pipelines-cache-deployer | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-cache-deployer | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-cache-deployer image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-cache-deployer image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-pipelines-cache-deployer + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-cache-deployer ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/tags_history.md index e402e48324..bdd6219ed1 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-deployer/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-pipelines-cache-deployer Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:f8390acdff755e60e755e44b645b45f50f45642e57f279519f959eae2cf4538e` | -| `latest` | November 29th | `sha256:2ca085d6bbea08358aa4b5fdd4912f76bd9cb1f85f234769f1a1942fe70d332d` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:9ac82de539958aaf3dd285d89d79d581dafbafeedee50a592de24ce50b5f7d0b` | +| `latest-dev` | December 6th | `sha256:5b847b2cf742020d229be6b20ce7e16f1cffdba76c9c0bd05237690f47e4c3c9` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/provenance_info.md index 00ab96df5d..b957309c9c 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-pipelines-cache-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-pipelines-cache-server** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-pipelines-cache-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-cache-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-cache-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-cache-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-pipelines-cache-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-cache-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/tags_history.md index 5225fddccf..d91981a629 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-cache-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-pipelines-cache-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c5720395f751090b095774385dd1443422eff41de8fb94e3822155e0d48e7594` | -| `latest-dev` | November 29th | `sha256:2ef84a3de3b03f4fd2aa521205a50653127bb14918e8fed03c5a8d70d8cee0ed` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:256609d10da78a7d724dfd0020373f6c5d3ddd923fafdd3c33da5c3eeb7205be` | +| `latest` | December 6th | `sha256:168ab11a511cd084d0bf2e94fd68fd18f9e87998dfd2896ebecab061762f0da0` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-frontend/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-frontend/provenance_info.md index ba9263604f..89bd108700 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-frontend/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-frontend/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-pipelines-frontend Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-pipelines-frontend** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-pipelines-frontend | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-frontend | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-frontend image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-frontend image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-pipelines-frontend + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-frontend ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-frontend/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-frontend/tags_history.md index 253b900e3c..4348ba0add 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-frontend/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-frontend/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-pipelines-frontend Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:bca703b9d4c8f3de540763829c55af8edf1daa2a7fec066594e8d5c0e3508504` | -| `latest-dev` | November 29th | `sha256:9e45b039cac95b7b17028a723db694ffefb5c4d642a8ec32be511c9d92e7ceba` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f20b3a62152f68fd6e40c7f9b051ea386be61106660e66b16bc25d9e685dc895` | +| `latest-dev` | December 6th | `sha256:8e9741cc2fef63d188ecaa740be349cb3e11f6f72d1cd58d5eff902033d3d352` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/provenance_info.md index 9a69b540fd..ae9f04ea9d 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-pipelines-metadata-writer Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-pipelines-metadata-writer** Chainguard Images are signed using Si The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-pipelines-metadata-writer | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-metadata-writer | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-metadata-writer image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-metadata-writer image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-pipelines-metadata-writer + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-metadata-writer ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/tags_history.md index 4f182421bc..84b38208e9 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-metadata-writer/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-pipelines-metadata-writer Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:292192b686d307fe58574c7918c49c05fb11722b634722e2959d3dfef57908b1` | -| `latest` | November 29th | `sha256:4db757933bcf8dfea7a1f1004c93989a6f123abc9df281508f6a55ee05d37419` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:1ead6e83732f92193110395d222321ca8ddd4bef349978da4c1a94b905140af5` | +| `latest-dev` | December 6th | `sha256:df8c0121b08bfd9f7b414e683868875185edb26fe01909321e540550596eff5b` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/provenance_info.md index e028911c52..0dea7d9bd9 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-pipelines-persistenceagent Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-pipelines-persistenceagent** Chainguard Images are signed using S The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-pipelines-persistenceagent | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-persistenceagent | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-persistenceagent image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-persistenceagent image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-pipelines-persistenceagent + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-persistenceagent ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/tags_history.md index 650bc7c11d..e7dc3d9a3d 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-persistenceagent/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-pipelines-persistenceagent Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:873ca0c6d4e346fc045c8a8b711a90ca6e28a5828981d7e04b5f50084d6607d7` | -| `latest-dev` | November 29th | `sha256:dbb4c386a3f2eb8b428b6e09c34da52fc885916f2fb8d039db93370fbaa187e7` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:1e02a68807fba8c61dcb0184949f3bf073bbb6dd427adcb99be2623ebcbe1bf0` | +| `latest` | December 6th | `sha256:c7f6579003aa0f6b9a19d2c347dbf20ace791d36309e1a6091a7ca0fc036f9d3` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/provenance_info.md index f6752c7d2e..1beb40d1fb 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-pipelines-scheduledworkflow Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-pipelines-scheduledworkflow** Chainguard Images are signed using The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-pipelines-scheduledworkflow | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-scheduledworkflow | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-scheduledworkflow image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-scheduledworkflow image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-pipelines-scheduledworkflow + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-scheduledworkflow ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/tags_history.md index 08c05dc723..3cdcbde1ef 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-scheduledworkflow/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-pipelines-scheduledworkflow Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:ce80bb7262b0d315cf3467dd12c0da65d307edd052cfb667888cff7eeae852d6` | -| `latest` | November 29th | `sha256:8f0455e742df5421a5324f29675596ff0856bbb62af37a921103915a223c8d5c` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:6ce97aa3968a602bbe47bfb439b58b02b41cdf0412f3a250d7292d337de0320d` | +| `latest-dev` | December 6th | `sha256:23e0b8ddb310de85394546f057480a762656c797561ce95a15983b8a0caffb07` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/provenance_info.md index 95471a54c1..7ca4522bd8 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-pipelines-viewer-crd-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-pipelines-viewer-crd-controller** Chainguard Images are signed us The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-pipelines-viewer-crd-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-viewer-crd-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-viewer-crd-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-pipelines-viewer-crd-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-pipelines-viewer-crd-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-pipelines-viewer-crd-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/tags_history.md index 519cfbd0cb..69510d7fc4 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-pipelines-viewer-crd-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-pipelines-viewer-crd-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2e27bba0438a617dadd93d353f1d008713bca82a9c45f7861ea08980a82ae0e4` | -| `latest-dev` | November 29th | `sha256:9cc3ce71fc305dbc379b1083ab34c6f9939545eb712df2581a5e263bf07e570a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:ea51853d3d72382529206d1c856710f2493fb81f1f1fd45d77d1e529a0a68349` | +| `latest-dev` | December 6th | `sha256:0536897bffb3688597de3900e69a69bc2771b732b360fe062365361375ee42ea` | diff --git a/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/provenance_info.md b/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/provenance_info.md index c24a219b15..d3661229f4 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubeflow-volumes-web-app Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubeflow-volumes-web-app** Chainguard Images are signed using Sigstore, an The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubeflow-volumes-web-app | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-volumes-web-app | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubeflo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-volumes-web-app image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubeflow-volumes-web-app image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubeflow-volumes-web-app + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubeflow-volumes-web-app ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/tags_history.md b/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/tags_history.md index 90a221fd34..aa194afbe3 100644 --- a/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubeflow-volumes-web-app/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubeflow-volumes-web-app Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:990a42dedd8a1f3d4173465ff19bacedf6cce5484d7c0adf866ac9cba6d1919b` | -| `latest-dev` | November 29th | `sha256:06cd7925eb5141e0c61f66fb993bc9d0de21c353585dbdefa33a3a6aa1c8a5d8` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:fca86d690d33d88f94a240fb52c48a2e0ee7efe5ebc8f0bcc8aff5ee08a7d9f8` | +| `latest-dev` | December 6th | `sha256:4bf296da4e131b0e32e4ff77ca17cadb0e278c047982ba4a9159431d02d061f6` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/provenance_info.md index dc3ddb6c53..4e8276c64c 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-csi-external-attacher Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-csi-external-attacher** Chainguard Images are signed using Sigs The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-csi-external-attacher | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-attacher | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-attacher image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-attacher image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-csi-external-attacher + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-attacher ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/tags_history.md index 7d3e542fef..075a64487f 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-attacher/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-csi-external-attacher Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:8e77ed6a6eaf1a82eebf351a83ceaed2b4dd1db19829ff9446f79fffd35d7b0a` | -| `latest-dev` | November 29th | `sha256:38e3f19dd3b0b3bf235af30be68314ab3536c21c8ad494813ca0d0653f5b51cc` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:ba2288f09cb159c6707f0c95cae8eff41bd71ce01fa7ac2c037a0a4d5f628e8f` | +| `latest-dev` | December 6th | `sha256:16d7b7503c3a6d70dc9c296e9918c0792d3b9d61d2084baa0f4bbfc63dbb177a` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/provenance_info.md index 1a66c2692b..a9910cff43 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-csi-external-provisioner Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-csi-external-provisioner** Chainguard Images are signed using S The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-csi-external-provisioner | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-provisioner | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-provisioner image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-provisioner image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-csi-external-provisioner + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-provisioner ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/tags_history.md index 25c38ccbb8..18f23b4876 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-provisioner/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-csi-external-provisioner Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:38aeb17690f491c899b48accfff19294bffda6fbc90ece7575e4d2e6e61c4f0c` | -| `latest` | November 29th | `sha256:5dd2fbce03f6eef4c80db9ff4ab5f0d44a6f37240eb63434e31e05522029edda` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:20ea98561c3b529f612bff7e67ca3874e92003265e421f40f7912fd0dfd57931` | +| `latest` | December 6th | `sha256:b9bd84d435d99ed4e67e5dff15868eeee902839d0ae0fd101f6f4f410a3fe1e3` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/provenance_info.md index 8637abd0f5..98b8ca8876 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-csi-external-resizer Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-csi-external-resizer** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-csi-external-resizer | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-resizer | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-resizer image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-resizer image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-csi-external-resizer + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-resizer ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/tags_history.md index 9a21b9b563..a04c436238 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-resizer/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-csi-external-resizer Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:317724ac848dce4849e97db092889e3f4710639a00f3907d4ef88bf4e27d98ee` | -| `latest` | November 29th | `sha256:da34fed0e0e60445ba1cb0a97db95ed6c0c4ee3c63f57053dd8a6dc9d3d15a4e` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:d67d414423c99d26e4812745ed6002a118e3668432b3a101bd84d7b092622562` | +| `latest` | December 6th | `sha256:1b8d0e251f36b793d507e2c944fea5d98efa9ddf2e995fe5c8c0b31ca7994485` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/provenance_info.md index 29d36f1fea..4097302557 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-csi-external-snapshot-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-csi-external-snapshot-controller** Chainguard Images are signed The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-csi-external-snapshot-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-snapshot-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-snapshot-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-snapshot-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-csi-external-snapshot-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-snapshot-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/tags_history.md index 7c0bf19eeb..62d2a13955 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-csi-external-snapshot-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:18ae0e66f1672953f258e5c23163b095c2c43939e90c4a197fd002632a0ba3eb` | -| `latest-dev` | November 29th | `sha256:7c4bcdc2e5afd7360c51ab43757ae71c6a9ad1a7b4ca8d4721b618aba7e2fe95` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:d91f2d36e8624d6741e5bee58e77771fe7663db3071d24aab8088ed27a9fdb54` | +| `latest` | December 6th | `sha256:533a5e65962f16e2302b894654f63a59c7cd5087531025a57c94938c9e690590` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md index 040dc171c2..08593aa338 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-csi-external-snapshot-validation-webhook Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-csi-external-snapshot-validation-webhook** Chainguard Images ar The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-csi-external-snapshot-validation-webhook | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-snapshot-validation-webhook | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-snapshot-validation-webhook image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-snapshot-validation-webhook image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-csi-external-snapshot-validation-webhook + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-snapshot-validation-webhook ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/tags_history.md index f7930a05c0..ec1c393615 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshot-validation-webhook/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-csi-external-snapshot-validation-webhook Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d1e8805b1b7077cf3db863bcac372ee8f436d7e456520872f9e8a032dd432334` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:062d21e858f3d4c784fbf250c65d6ff9b465aa53df55325c4ba3241011b8a6ad` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/provenance_info.md index bfd34dc471..aadccdbc91 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-csi-external-snapshotter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-csi-external-snapshotter** Chainguard Images are signed using S The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-csi-external-snapshotter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-snapshotter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-snapshotter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-external-snapshotter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-csi-external-snapshotter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-external-snapshotter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/tags_history.md index caf021268f..b14e305d9f 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-external-snapshotter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-csi-external-snapshotter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:7ec8674b8233d466de51847bc796a2d8cf6a180b82b337462616e2788ac25aff` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:2d3878de7877851abf46923e70c72c6c6f7988149a26bbf27d68841926e71a3f` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/provenance_info.md index 42b8539c7c..f611763f03 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-csi-livenessprobe Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-csi-livenessprobe** Chainguard Images are signed using Sigstore The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-csi-livenessprobe | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-livenessprobe | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-livenessprobe image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-livenessprobe image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-csi-livenessprobe + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-livenessprobe ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/tags_history.md index b2bfe4a43e..8d3369a4d8 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-livenessprobe/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-csi-livenessprobe Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:584570e5e80182beb8b1c189bcb91b5ad57d6fad482460f9d57bd8fa37347a1e` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:90beee8a3a48ad256f0bed35ca7eadd998ae0ac0e78707e9ccf4b8b5d9c1c067` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/provenance_info.md index 70be101a01..8f616797a2 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-csi-node-driver-registrar Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-csi-node-driver-registrar** Chainguard Images are signed using The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-csi-node-driver-registrar | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-node-driver-registrar | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-node-driver-registrar image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-csi-node-driver-registrar image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-csi-node-driver-registrar + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-csi-node-driver-registrar ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/tags_history.md index 434848233b..feb67cb321 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-csi-node-driver-registrar/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-csi-node-driver-registrar Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c70cbc9f8f0951c4958833ab9a6a2dcaba1f23b81d1914b38504ab594c7e614f` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:b9774462730c018235c270345c0920d5a8a516762d5815d339c54f64057e4e42` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-dashboard/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-dashboard/provenance_info.md index a9f768b899..8a4e164db1 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-dashboard/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-dashboard/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-dashboard Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-dashboard** Chainguard Images are signed using Sigstore, and yo The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-dashboard | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-dashboard | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-dashboard image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-dashboard image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-dashboard + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-dashboard ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-dashboard/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-dashboard/tags_history.md index 17f5be953a..7aa3c97af1 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-dashboard/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-dashboard/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-dashboard Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:67fa61d22497dbd6d2d3d95fea44d0d2b13aa7f2b113022ccd9e14b723b86e41` | -| `latest` | October 30th | `sha256:c53795eece96ef0f76601d52fe1b4ae651c4a37116d5a2f9d9e6ad15d4f420a9` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:0a06f0548051e6e972c505d032c26bc4b5126cef15b699fb4fea0a2888369c7a` | +| `latest-dev` | December 6th | `sha256:2b461a842916fe99bd7554389816d4b7ce6c0bedb80a7c4b01e989d571d616cd` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/provenance_info.md index d6f4720293..f6e61cdb38 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-dns-node-cache Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-dns-node-cache** Chainguard Images are signed using Sigstore, a The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-dns-node-cache | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-dns-node-cache | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-dns-node-cache image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-dns-node-cache image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-dns-node-cache + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-dns-node-cache ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/tags_history.md index 1dae156460..eb5cd97b89 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-dns-node-cache/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-dns-node-cache Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:846ec1f1736a4f351c7c533ada04de3986e4c2335886f8a4a0bf92dfb07ed7c0` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f96f8b55d2e8710c037e38fa645247a2421ef2e1a5814884be0416a569b3fd6f` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-event-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-event-exporter/provenance_info.md index a576658ccc..36fd9aaf01 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-event-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-event-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-event-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-event-exporter** Chainguard Images are signed using Sigstore, a The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-event-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-event-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-event-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-event-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-event-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-event-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-event-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-event-exporter/tags_history.md index 31b5078b7f..79b2ea9022 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-event-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-event-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-event-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ca61cca26c34383920c1de6921f1b87707bc58db159a7bb23f0f44cce942694b` | -| `latest-dev` | November 29th | `sha256:584e50694ef110509edcc9799fc89c6150f59312e7009bee90a976fd9e4ed13e` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:5a95c89b717d01ba11f193f81930b4e6ec61ae1216fb9e64d1d737c827b752fc` | +| `latest-dev` | December 6th | `sha256:4ec19406b0b6207e065ab5fa2b222fadcaffe2eb42054e1b4cce4396209cf28e` | diff --git a/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/provenance_info.md b/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/provenance_info.md index 765b9515a6..a2eb8910a2 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubernetes-ingress-defaultbackend Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubernetes-ingress-defaultbackend** Chainguard Images are signed using Sig The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubernetes-ingress-defaultbackend | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-ingress-defaultbackend | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kuberne | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-ingress-defaultbackend image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubernetes-ingress-defaultbackend image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubernetes-ingress-defaultbackend + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubernetes-ingress-defaultbackend ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/tags_history.md b/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/tags_history.md index 61a83f65be..c8373cc1bb 100644 --- a/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubernetes-ingress-defaultbackend/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubernetes-ingress-defaultbackend Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:445e4eeff5a0a8bb05490c0a4346cddc538a31aa7fe00166c95165fc6997a4c6` | -| `latest` | October 30th | `sha256:b6ebe3559ee6f883693683c82e2c8b09a05ccc182cd4b4c27d059502f2bf90ae` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:5730ccb98eac721163b7b2412cfaec11f8475cdceccaf8f9a57693cb33f49440` | +| `latest-dev` | December 6th | `sha256:45349bb6cd446d552ede3cce98bab5546520b26b4bce48019968fa971ac7e601` | diff --git a/content/chainguard/chainguard-images/reference/kubewatch/provenance_info.md b/content/chainguard/chainguard-images/reference/kubewatch/provenance_info.md index b181133aaa..8ce98e51e5 100644 --- a/content/chainguard/chainguard-images/reference/kubewatch/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kubewatch/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kubewatch Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kubewatch** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kubewatch | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubewatch | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kubewat | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubewatch image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kubewatch image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kubewatch + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kubewatch ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kubewatch/tags_history.md b/content/chainguard/chainguard-images/reference/kubewatch/tags_history.md index 85db2284b3..be0c2c62c9 100644 --- a/content/chainguard/chainguard-images/reference/kubewatch/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kubewatch/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kubewatch Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:48cf45cde484d9fe2fb87662c7e3267ce625db4a7a9a382018fc4bce950c7b6e` | -| `latest` | November 29th | `sha256:191fd5e99b4e38021bf01e5277527ed02ca84e542924f3fdc4bee759d006d49a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:68626aedeaede720d097de20d00c70cdbdb54cc295c531a7cc22abb0c90e969f` | +| `latest-dev` | December 6th | `sha256:a3928087dd150b1235ea6f2b9bec98cc823d28a2a6726bb6ec38f7ac359663e6` | diff --git a/content/chainguard/chainguard-images/reference/kyverno-background-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-background-controller/provenance_info.md index 49ffa2d9dc..7ac0db3a33 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-background-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-background-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kyverno-background-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kyverno-background-controller** Chainguard Images are signed using Sigstor The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kyverno-background-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-background-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kyverno | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-background-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-background-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kyverno-background-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-background-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kyverno-background-controller/tags_history.md b/content/chainguard/chainguard-images/reference/kyverno-background-controller/tags_history.md index b107ea0910..673c45763a 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-background-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kyverno-background-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kyverno-background-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:fa5297814241adbe4ad277a1f8a862c38890b8cc2d0ea55cdc2e2b57ab91b82b` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:59c725f365d4ecb28a95715a05e8ffd114bd5673451dacdffb7704000b5ce4c2` | diff --git a/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/provenance_info.md index 9023060db4..f77bd20700 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kyverno-cleanup-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kyverno-cleanup-controller** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kyverno-cleanup-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-cleanup-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kyverno | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-cleanup-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-cleanup-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kyverno-cleanup-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-cleanup-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/tags_history.md b/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/tags_history.md index 29e9c3b913..63f3a0ede7 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kyverno-cleanup-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kyverno-cleanup-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:7e2dce479ae35f35f646d8d5b8c91d58f1940bc3f136218698c63bf19d9039fc` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c7e07badac5f9f4c57a564d9553151a6365e164dd3e3c9f7d061d67da6b790f9` | diff --git a/content/chainguard/chainguard-images/reference/kyverno-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-cli/provenance_info.md index 8e4fab6ca8..e07c6603af 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-cli/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kyverno-cli Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kyverno-cli** Chainguard Images are signed using Sigstore, and you can che The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kyverno-cli | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-cli | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kyverno | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-cli image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-cli image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kyverno-cli + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-cli ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kyverno-cli/tags_history.md b/content/chainguard/chainguard-images/reference/kyverno-cli/tags_history.md index c7137a3159..b6573a9202 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-cli/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kyverno-cli/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kyverno-cli Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:4bd510e8b126d57f0cf68ae77020b8d5791f5f0edb572407f83f99264d28bbdf` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:74deef3fb13f11b20e9112565d9a9adda67a9e69ee62f26a45eac514c4398139` | diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/provenance_info.md index 5678efb2ff..fe68f2ff3e 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kyverno-policy-reporter-plugin Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kyverno-policy-reporter-plugin** Chainguard Images are signed using Sigsto The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kyverno-policy-reporter-plugin | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-policy-reporter-plugin | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kyverno | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter-plugin image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter-plugin image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kyverno-policy-reporter-plugin + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-policy-reporter-plugin ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/tags_history.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/tags_history.md index 8a37646190..024b81a7ba 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-plugin/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kyverno-policy-reporter-plugin Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:09a5cdbd9aff3f70aec52dc32250dc10a5235e246734d9008d2ace956c76c5ae` | -| `latest` | November 29th | `sha256:194b36618126b9e12926157daf217f6e9ceab197fccaeeb049d2c7d10274c7ad` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:e30f413ff7845134f5604a07d7575f38374cde57e574529d96c98ad13f4237a7` | +| `latest` | December 6th | `sha256:8311a582d666a2febdcd5479590707b0109b31507717dcae505cbf4f0cca71aa` | diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/provenance_info.md index 696e5a2b66..19228e5625 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kyverno-policy-reporter-reporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kyverno-policy-reporter-reporter** Chainguard Images are signed using Sigs The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kyverno-policy-reporter-reporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-policy-reporter-reporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kyverno | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter-reporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter-reporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kyverno-policy-reporter-reporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-policy-reporter-reporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/tags_history.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/tags_history.md index 96d211bd13..e0d18cf96e 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-reporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kyverno-policy-reporter-reporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -26,5 +26,4 @@ Please note that digests and timestamps only change when there is a change to th | Tag (s) | Last Changed | Digest | |---------------|---------------|---------------------------------------------------------------------------| | `latest-dev` | November 11th | `sha256:42838dde4828a313a29f08220eecb5a3472c3993d3c045228a1d0379c3be7027` | -| `latest` | October 30th | `sha256:fcc338a61d26ec53bb017797985d68846752b23f483b8f9637d89922f9310be7` | diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/provenance_info.md index 197d305976..d33c0d3b85 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kyverno-policy-reporter-ui Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kyverno-policy-reporter-ui** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kyverno-policy-reporter-ui | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-policy-reporter-ui | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kyverno | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter-ui image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter-ui image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kyverno-policy-reporter-ui + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-policy-reporter-ui ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/tags_history.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/tags_history.md index 9de56dd306..e662127472 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter-ui/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kyverno-policy-reporter-ui Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:4a6f3e24f320b7b8eda2fdfb61eebae45bdea6d7c9180b9e9e56540da60feed6` | -| `latest-dev` | November 29th | `sha256:9fa0219077bc93685c0297ee7af5d73630ef9fee79853c8e9a2b82209c480eb8` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:474d716b92e6e887995e9d1e3180bcc0649e94764ceb878b01558fbe24131be0` | +| `latest` | December 6th | `sha256:36cb1cc2938723c5348c900b7ad405e1bbbe9e4c24014ebbccd56009ace6ba4b` | diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter/provenance_info.md index a7b4d56f7d..f2be904d83 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kyverno-policy-reporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kyverno-policy-reporter** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kyverno-policy-reporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-policy-reporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kyverno | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-policy-reporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kyverno-policy-reporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-policy-reporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter/tags_history.md b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter/tags_history.md index 52bbcf963f..2fdd851929 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-policy-reporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kyverno-policy-reporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kyverno-policy-reporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:aa4a0f0c69a22bd6f600bc014ebafe851a66cfc855bbd35e4e2ef68618219162` | -| `latest-dev` | November 29th | `sha256:345582a223900f0cc554eda47f35a370082d6af3187bcc8786dc60eefdbaf06d` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:3d93023ccceccfb69aedda73334afae1253612fe7f4f6b3869cafd6f17ce23ad` | +| `latest-dev` | December 6th | `sha256:7ef9fd7713f5b61a48359fa1beb3212f0b0b092343855a4e33f387d69676c647` | diff --git a/content/chainguard/chainguard-images/reference/kyverno-reports-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno-reports-controller/provenance_info.md index 80375f09a6..abfb18c928 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-reports-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno-reports-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kyverno-reports-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kyverno-reports-controller** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kyverno-reports-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-reports-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kyverno | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-reports-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno-reports-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kyverno-reports-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno-reports-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kyverno-reports-controller/tags_history.md b/content/chainguard/chainguard-images/reference/kyverno-reports-controller/tags_history.md index 9ce8f82b44..9f05ce464b 100644 --- a/content/chainguard/chainguard-images/reference/kyverno-reports-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kyverno-reports-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kyverno-reports-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3b8ea47198c3e305cb83426fe034322638e792b5dcfa37b6093951b2b429b06f` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:e72fb59ed89cbf1b90d85ca56cb2b94924444986f4e6ebc9ec3a9f4d6051c7cb` | diff --git a/content/chainguard/chainguard-images/reference/kyverno/provenance_info.md b/content/chainguard/chainguard-images/reference/kyverno/provenance_info.md index 407dd38e96..9014c9ec85 100644 --- a/content/chainguard/chainguard-images/reference/kyverno/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/kyverno/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for kyverno Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **kyverno** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/kyverno | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the kyverno | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the kyverno image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/kyverno + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/kyverno ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/kyverno/tags_history.md b/content/chainguard/chainguard-images/reference/kyverno/tags_history.md index d69967124f..9be4e65f06 100644 --- a/content/chainguard/chainguard-images/reference/kyverno/tags_history.md +++ b/content/chainguard/chainguard-images/reference/kyverno/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the kyverno Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:e6c5de4b56692e17233fcaf0d2d486e085aade2bcffa8debd567fb54604ce194` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:86166f42ec11c0ed12da32714592016bfaaf233d8f288fc5281dd37d08695a1d` | diff --git a/content/chainguard/chainguard-images/reference/loki/provenance_info.md b/content/chainguard/chainguard-images/reference/loki/provenance_info.md index 4062d74100..b7c02872c5 100644 --- a/content/chainguard/chainguard-images/reference/loki/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/loki/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for loki Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **loki** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/loki | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/loki | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the loki im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the loki image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the loki image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/loki + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/loki ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/loki/tags_history.md b/content/chainguard/chainguard-images/reference/loki/tags_history.md index ea42339000..d394d9cc9a 100644 --- a/content/chainguard/chainguard-images/reference/loki/tags_history.md +++ b/content/chainguard/chainguard-images/reference/loki/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the loki Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:25ec63b7614d5cbce2bcb50e96a775792a97f43fc19a7370177333cbdae96bc1` | -| `latest` | October 31st | `sha256:8b9f782c7431b1a8b8c0cc33e6081b0d4fb2f28b5697299778c7fa0cbd483970` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f32a3613596385a110a34a7e9af3f9079aecb4fd27965027ffb1a360bcb39036` | +| `latest-dev` | December 6th | `sha256:b9fa567817d963503ee2caa4a5276290a4210d6751e7ab150b8614ab7f2661f7` | diff --git a/content/chainguard/chainguard-images/reference/mariadb/provenance_info.md b/content/chainguard/chainguard-images/reference/mariadb/provenance_info.md index 357773b204..52f474d268 100644 --- a/content/chainguard/chainguard-images/reference/mariadb/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/mariadb/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for mariadb Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **mariadb** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/mariadb | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/mariadb | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the mariadb | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the mariadb image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the mariadb image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/mariadb + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/mariadb ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/mariadb/tags_history.md b/content/chainguard/chainguard-images/reference/mariadb/tags_history.md index e3cb99f8ef..36db1c6f8d 100644 --- a/content/chainguard/chainguard-images/reference/mariadb/tags_history.md +++ b/content/chainguard/chainguard-images/reference/mariadb/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the mariadb Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:4dc863f6ee9b59bb96b5e4ad28859a57bd9ed31606fee78e943244176caded90` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:1f312a9e3b87997d077ba80100290700fe5280f10934346461c65bdc37e67747` | diff --git a/content/chainguard/chainguard-images/reference/maven/provenance_info.md b/content/chainguard/chainguard-images/reference/maven/provenance_info.md index 1a4de878dd..43c9369a1b 100644 --- a/content/chainguard/chainguard-images/reference/maven/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/maven/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for maven Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **maven** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/maven | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/maven | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the maven i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the maven image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the maven image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/maven + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/maven ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/maven/tags_history.md b/content/chainguard/chainguard-images/reference/maven/tags_history.md index d9b1f15301..72123da5ce 100644 --- a/content/chainguard/chainguard-images/reference/maven/tags_history.md +++ b/content/chainguard/chainguard-images/reference/maven/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the maven Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,10 +23,10 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|--------------------------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` `openjdk-17-dev` | November 29th | `sha256:baa5f688460480b38be74021ea396a5fbe01e55b5aff9b1d5899585650657c69` | -| `latest` `openjdk-17` | November 29th | `sha256:f8cfdcdcfc9e08422079a1bec8b10bf3aa9c0d7e93694f07bf2f33a87211f32d` | -| `openjdk-11-dev` | November 29th | `sha256:0231f288d26d7ff55ec36dcbf5a5be5f7e7f438ea17cd959efb03b09bbcb1997` | -| `openjdk-11` | November 29th | `sha256:f92dddfa7fb7f3c15f0e967ac96777a43eaee45b6009a547834d8068a0948ed0` | +| Tag (s) | Last Changed | Digest | +|--------------------------------|--------------|---------------------------------------------------------------------------| +| `openjdk-17` `latest` | December 6th | `sha256:31c0b9d0083c72b770a6098c5ff91c89d5809c28bd7981503927f588b5dab733` | +| `latest-dev` `openjdk-17-dev` | December 6th | `sha256:f5d3ac80f5b27ff0a4ff63f91f7f7642d2eb9d9cabbc00540b965b7dd75868dd` | +| `openjdk-11-dev` | December 6th | `sha256:f6b7d55dffff4a3d877e2e2ebec61033a8f11f8e9e5f8756807e7ca12d287af9` | +| `openjdk-11` | December 6th | `sha256:fe4cbb2eb82ab5468fb5d81e7b21267df7d9dcb6f502508a71e2735b447a7265` | diff --git a/content/chainguard/chainguard-images/reference/mdbook/provenance_info.md b/content/chainguard/chainguard-images/reference/mdbook/provenance_info.md index 990ad85e45..d164e5ecb1 100644 --- a/content/chainguard/chainguard-images/reference/mdbook/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/mdbook/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for mdbook Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **mdbook** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/mdbook | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/mdbook | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the mdbook | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the mdbook image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the mdbook image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/mdbook + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/mdbook ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/mdbook/tags_history.md b/content/chainguard/chainguard-images/reference/mdbook/tags_history.md index deca475bcf..4f741edb21 100644 --- a/content/chainguard/chainguard-images/reference/mdbook/tags_history.md +++ b/content/chainguard/chainguard-images/reference/mdbook/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the mdbook Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:77dd3a19bc59f9db9d81ed7b25bfaedd75d9dd987c0db59fb74b32b0cf1c851e` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:3bab31dbaa9d9978cd82193637c3143d21be018ecbfd5f94e96b8a05f3be44d6` | diff --git a/content/chainguard/chainguard-images/reference/meilisearch/provenance_info.md b/content/chainguard/chainguard-images/reference/meilisearch/provenance_info.md index 3c2af9e539..535e984183 100644 --- a/content/chainguard/chainguard-images/reference/meilisearch/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/meilisearch/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for meilisearch Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **meilisearch** Chainguard Images are signed using Sigstore, and you can che The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/meilisearch | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/meilisearch | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the meilise | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the meilisearch image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the meilisearch image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/meilisearch + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/meilisearch ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/meilisearch/tags_history.md b/content/chainguard/chainguard-images/reference/meilisearch/tags_history.md index eaf84f1638..4c4c17e0ee 100644 --- a/content/chainguard/chainguard-images/reference/meilisearch/tags_history.md +++ b/content/chainguard/chainguard-images/reference/meilisearch/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the meilisearch Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:17f6ef814a617120d8e02dc8c9620a4c74f81af91a9006eb34641bc5159ad36c` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:1d0dbd40c09e0ba7de87ca552ade8dffaf82482cfd28bee6f105971d1f8f6700` | diff --git a/content/chainguard/chainguard-images/reference/melange/provenance_info.md b/content/chainguard/chainguard-images/reference/melange/provenance_info.md index 791edac43e..1c33afb0a9 100644 --- a/content/chainguard/chainguard-images/reference/melange/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/melange/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for melange Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **melange** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/melange | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/melange | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the melange | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the melange image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the melange image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/melange + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/melange ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/melange/tags_history.md b/content/chainguard/chainguard-images/reference/melange/tags_history.md index 5f5b14b3e2..5a9d986f12 100644 --- a/content/chainguard/chainguard-images/reference/melange/tags_history.md +++ b/content/chainguard/chainguard-images/reference/melange/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the melange Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:4b7915dc5099b1b689f863f5a65092aa912da8f6368869cd677fde97031bcc93` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:7c06b40bd0c63e525afa56601523602e7454416a897c0f4fa99669df9ec6404b` | diff --git a/content/chainguard/chainguard-images/reference/memcached-exporter-bitnami/provenance_info.md b/content/chainguard/chainguard-images/reference/memcached-exporter-bitnami/provenance_info.md index 29463dbd78..7e2a96fc49 100644 --- a/content/chainguard/chainguard-images/reference/memcached-exporter-bitnami/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/memcached-exporter-bitnami/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for memcached-exporter-bitnami Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **memcached-exporter-bitnami** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/memcached-exporter-bitnami | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/memcached-exporter-bitnami | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the memcach | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the memcached-exporter-bitnami image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the memcached-exporter-bitnami image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/memcached-exporter-bitnami + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/memcached-exporter-bitnami ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/memcached-exporter-bitnami/tags_history.md b/content/chainguard/chainguard-images/reference/memcached-exporter-bitnami/tags_history.md index 8c643bd118..2853a7f7eb 100644 --- a/content/chainguard/chainguard-images/reference/memcached-exporter-bitnami/tags_history.md +++ b/content/chainguard/chainguard-images/reference/memcached-exporter-bitnami/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the memcached-exporter-bitnami Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:858385ab4128a8861ed5960c56e86b9418ff524104926ff164962ab896a2a876` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c652a3d74c29462a122be56affcfad344a3d4e211d15caa86ca9e1adf671df2a` | diff --git a/content/chainguard/chainguard-images/reference/memcached-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/memcached-exporter/provenance_info.md index d8adf698d1..14c64301d7 100644 --- a/content/chainguard/chainguard-images/reference/memcached-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/memcached-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for memcached-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **memcached-exporter** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/memcached-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/memcached-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the memcach | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the memcached-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the memcached-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/memcached-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/memcached-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/memcached-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/memcached-exporter/tags_history.md index cb8f038b74..c65f4a6275 100644 --- a/content/chainguard/chainguard-images/reference/memcached-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/memcached-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the memcached-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:956958781d63bc4b2d6dfc42c265e7b6742173b57467e94e03c93ad8dc0ba91b` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f28a89ba2ca399ea1e102c8087d421e7bd7c87ef8eb161adac2304be89793507` | diff --git a/content/chainguard/chainguard-images/reference/memcached/provenance_info.md b/content/chainguard/chainguard-images/reference/memcached/provenance_info.md index 9cbb1ffab5..d549b0eb6d 100644 --- a/content/chainguard/chainguard-images/reference/memcached/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/memcached/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for memcached Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **memcached** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/memcached | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/memcached | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the memcach | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the memcached image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the memcached image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/memcached + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/memcached ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/memcached/tags_history.md b/content/chainguard/chainguard-images/reference/memcached/tags_history.md index 710043e88f..e4f2acd904 100644 --- a/content/chainguard/chainguard-images/reference/memcached/tags_history.md +++ b/content/chainguard/chainguard-images/reference/memcached/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the memcached Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:c828df1ae941aff3a31cf3df0679b084d9e6478572519c00022ff5ce0658a5f6` | -| `latest-dev` | November 29th | `sha256:73b11edb046dbb1e190cdc445eece9b7fa40dda2765abe91676af72822333ccb` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:2d63d4aa2c58f083bdf64b2312627c3420cb011578298552ad83cc7c09a6618e` | +| `latest` | December 6th | `sha256:a54317a9cd52953915ca9d0c124c3ebba5d5d95cd1f17f6d969e575f2f2b0151` | diff --git a/content/chainguard/chainguard-images/reference/metacontroller/provenance_info.md b/content/chainguard/chainguard-images/reference/metacontroller/provenance_info.md index 27edb60c4a..32938826e8 100644 --- a/content/chainguard/chainguard-images/reference/metacontroller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/metacontroller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for metacontroller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **metacontroller** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/metacontroller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/metacontroller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the metacon | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the metacontroller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the metacontroller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/metacontroller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/metacontroller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/metacontroller/tags_history.md b/content/chainguard/chainguard-images/reference/metacontroller/tags_history.md index 516764a022..a6f327c077 100644 --- a/content/chainguard/chainguard-images/reference/metacontroller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/metacontroller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the metacontroller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:8f62f565236c6123a1759fad4c34bfc924652bf044fdf535da44fbc33ffaa7da` | -| `latest` | November 29th | `sha256:d0eb793c6109a5781075d72fa8b211517e354f1c4bef6c9bf064eb101823e1da` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:9c092405f616db30d6620e978fa77f10e36409492e1149b220a6ce11e5961b8e` | +| `latest-dev` | December 6th | `sha256:26ac84198d14fe757b8baf016644db1c46fef275294e764723b99a42321f483a` | diff --git a/content/chainguard/chainguard-images/reference/metrics-server/provenance_info.md b/content/chainguard/chainguard-images/reference/metrics-server/provenance_info.md index cf0a46fdc7..166fae7f3e 100644 --- a/content/chainguard/chainguard-images/reference/metrics-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/metrics-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for metrics-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **metrics-server** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/metrics-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/metrics-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the metrics | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the metrics-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the metrics-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/metrics-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/metrics-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/metrics-server/tags_history.md b/content/chainguard/chainguard-images/reference/metrics-server/tags_history.md index 38dbd45b8c..23299733fc 100644 --- a/content/chainguard/chainguard-images/reference/metrics-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/metrics-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the metrics-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:b07694945ec973acea99536892525e824160743ed85b1f3622cdb42cec3a744e` | -| `latest-dev` | November 29th | `sha256:8e624a2dbd790b949e9bcbc8090e54f6d4bef000353ffb16c77bfe01d25438c5` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:50fc62506195b32bbcfde8a098f3e436a6889fad5f40c08770cb378016cc7fa7` | +| `latest-dev` | December 6th | `sha256:8c20d1064646f7cf87e760a1ab0fd150ddb411d708c21b885e30af3382d1c322` | diff --git a/content/chainguard/chainguard-images/reference/minio-client/provenance_info.md b/content/chainguard/chainguard-images/reference/minio-client/provenance_info.md index 5c27f0b48f..efa340ade0 100644 --- a/content/chainguard/chainguard-images/reference/minio-client/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/minio-client/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for minio-client Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **minio-client** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/minio-client | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/minio-client | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the minio-c | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the minio-client image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the minio-client image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/minio-client + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/minio-client ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/minio-client/tags_history.md b/content/chainguard/chainguard-images/reference/minio-client/tags_history.md index 7104d86a6a..4496b0d964 100644 --- a/content/chainguard/chainguard-images/reference/minio-client/tags_history.md +++ b/content/chainguard/chainguard-images/reference/minio-client/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the minio-client Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,10 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:3a081a0794b5378c66791d26c4b3617b92dce916b18ad9cef784224e7e198c78` | -| `latest` | November 29th | `sha256:d93b4806fd6474fa2119c1ad3e518bf1f0bf668aa7b596fc050bb6cbff7c8cb4` | -| `0-dev` | November 3rd | `sha256:ad1e3773cda32e9b1dd451192c5913718c37cc73d967582a6113348fd84a8af0` | -| `0` | October 30th | `sha256:49ec491a13fe044c77457058b6c1fe8cc38e35f018520cf273d366c01be8de12` | +| Tag (s) | Last Changed | Digest | +|-----------------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` `0-dev` | December 6th | `sha256:26f3bf194ca6dfa251457e35b377bdb76a460eee3bdf1787941ed517914c88d0` | +| `0` `latest` | December 6th | `sha256:c15173f50ac0fd48f4071964495265513053f9aba967e4dce4160a60f5934f33` | diff --git a/content/chainguard/chainguard-images/reference/minio/image_specs.md b/content/chainguard/chainguard-images/reference/minio/image_specs.md index 5f47af91ba..25457dbcbc 100644 --- a/content/chainguard/chainguard-images/reference/minio/image_specs.md +++ b/content/chainguard/chainguard-images/reference/minio/image_specs.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Detailed information about the public minio Chainguard Image variants" date: 2023-03-07T11:07:52+02:00 -lastmod: 2023-03-07T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -62,6 +62,7 @@ The table shows package distribution across variants. | `libnghttp2-14` | X | | | `libpcre2-8-0` | X | | | `libssl3` | X | | +| `mc` | X | X | | `minio` | X | X | | `ncurses` | X | | | `ncurses-terminfo-base` | X | | diff --git a/content/chainguard/chainguard-images/reference/minio/provenance_info.md b/content/chainguard/chainguard-images/reference/minio/provenance_info.md index db6889068d..7f83e66332 100644 --- a/content/chainguard/chainguard-images/reference/minio/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/minio/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for minio Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **minio** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/minio | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/minio | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the minio i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the minio image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the minio image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/minio + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/minio ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/minio/tags_history.md b/content/chainguard/chainguard-images/reference/minio/tags_history.md index dc16aed98c..d14a18a780 100644 --- a/content/chainguard/chainguard-images/reference/minio/tags_history.md +++ b/content/chainguard/chainguard-images/reference/minio/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the minio Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,10 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:52da4136faed5ace47bf45d07336fcecaf1b12aabc5b73ac1b80571ef0e9476f` | -| `latest` | November 29th | `sha256:2e02e40224a49c039db81f88335973698a15b56b80ce63a3ea70f8f874534ff9` | -| `0-dev` | November 3rd | `sha256:b37e18cefc9c9093667667becfd31fafa27768157ea8b7c5c88b6c50298bb964` | -| `0` | October 30th | `sha256:fe8577f3bf3bfc6b00248441ff10da4eb457ee9722c5db93ea8a0345cc78d95e` | +| Tag (s) | Last Changed | Digest | +|-----------------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` `0-dev` | December 6th | `sha256:c8505546be58b6064012400cf7595cb2465bc48d77ba802600b005e74ca065c4` | +| `0` `latest` | December 6th | `sha256:7ca6adebce493411324f069b933d31573ce0d3c0db6723ee089008c13a72ace0` | diff --git a/content/chainguard/chainguard-images/reference/nats/provenance_info.md b/content/chainguard/chainguard-images/reference/nats/provenance_info.md index 229787617d..5c7c345f89 100644 --- a/content/chainguard/chainguard-images/reference/nats/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nats/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for nats Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **nats** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/nats | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nats | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the nats im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nats image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nats image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/nats + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nats ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/nats/tags_history.md b/content/chainguard/chainguard-images/reference/nats/tags_history.md index 7619965388..0de1ae034e 100644 --- a/content/chainguard/chainguard-images/reference/nats/tags_history.md +++ b/content/chainguard/chainguard-images/reference/nats/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the nats Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:e5ebcf842df9a6fbe88f4e036b1df63284b65f407c4ec8cbc3e52c27dfb3870d` | -| `latest-dev` | November 29th | `sha256:f53a1d2891284ec1193960ca9c88578a6935b846c531d733d7ea7828e3eaf4dd` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:de9b4a81b52b32a96b228b694b00f233f25e8b61138cf8c88c73bbc1e2593155` | +| `latest-dev` | December 6th | `sha256:d31eede005c5ac1904333f1a1c7b0c45f24bf85f08bf476a96a4ca528c4af6ce` | diff --git a/content/chainguard/chainguard-images/reference/netcat/provenance_info.md b/content/chainguard/chainguard-images/reference/netcat/provenance_info.md index dbb0b106a3..7a89dbb415 100644 --- a/content/chainguard/chainguard-images/reference/netcat/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/netcat/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for netcat Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **netcat** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/netcat | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/netcat | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the netcat | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the netcat image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the netcat image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/netcat + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/netcat ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/netcat/tags_history.md b/content/chainguard/chainguard-images/reference/netcat/tags_history.md index 0339d1ac98..b4f2cefb78 100644 --- a/content/chainguard/chainguard-images/reference/netcat/tags_history.md +++ b/content/chainguard/chainguard-images/reference/netcat/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the netcat Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:e3fe9ae9da4d4a6a4b43e9c6f4812d66df6d780f19d5507d26a6be52651b672a` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:41e7b9ff32289735899dd4ba3cb0f79c79faf43d2a5aa3c42207313e0fa9a7dd` | diff --git a/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/_index.md b/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/_index.md index 5023be3869..d9987dbf35 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/_index.md +++ b/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: newrelic-fluent-bit-output Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -26,7 +26,7 @@ toc: true -Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastructure-bundle) container image. +Minimal [newrelic-fluent-bit-output](https://github.com/newrelic/newrelic-fluent-bit-output) container image. @@ -34,7 +34,7 @@ Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastruct The image is available on `cgr.dev`: ``` -docker pull cgr.dev/chainguard/newrelic:latest +docker pull cgr.dev/chainguard/newrelic-fluent-bit-output:latest ``` diff --git a/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/provenance_info.md index 7a480895e8..317db39b00 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for newrelic-fluent-bit-output Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **newrelic-fluent-bit-output** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/newrelic-fluent-bit-output | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-fluent-bit-output | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the newreli | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-fluent-bit-output image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-fluent-bit-output image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/newrelic-fluent-bit-output + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-fluent-bit-output ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/tags_history.md b/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/tags_history.md index 732e3474ae..559d9e204c 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/tags_history.md +++ b/content/chainguard/chainguard-images/reference/newrelic-fluent-bit-output/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the newrelic-fluent-bit-output Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:40c38d0fdcd7e8d25dceee8ee538c633d026e3b23f8ce5f7cfa025554a89de81` | -| `latest` | November 29th | `sha256:6de2431c80b5efb4b54765bef21e336e93afb58ce0b8c1a04dabb263571d0a26` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:673a4776f3adc21214a1398aeedc070d53d3ffa7113ebd027d5fe2def9b15f05` | +| `latest` | December 6th | `sha256:32ff997e744326b9d4b179f6e2dad6bf2eed7af8af31203f6100cc9275b2268d` | diff --git a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/_index.md b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/_index.md index dab023e082..fb87a9c0d6 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/_index.md +++ b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: newrelic-infrastructure-bundle Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -34,7 +34,7 @@ Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastruct The image is available on `cgr.dev`: ``` -docker pull cgr.dev/chainguard/newrelic:latest +docker pull cgr.dev/chainguard/newrelic-infrastructure-bundle:latest ``` diff --git a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/image_specs.md b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/image_specs.md index c885215792..195b922753 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/image_specs.md +++ b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/image_specs.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Detailed information about the public newrelic-infrastructure-bundle Chainguard Image variants" date: 2023-03-07T11:07:52+02:00 -lastmod: 2023-03-07T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -29,14 +29,14 @@ The **newrelic-infrastructure-bundle** Chainguard Image currently has 2 public v The table has detailed information about each of these variants. -| | latest-dev | latest | -|--------------|---------------|---------------| -| Default User | `root` | `root` | -| Entrypoint | not specified | not specified | -| CMD | not specified | not specified | -| Workdir | not specified | not specified | -| Has apk? | yes | no | -| Has a shell? | yes | no | +| | latest-dev | latest | +|--------------|-----------------------------------|-----------------------------------| +| Default User | `root` | `root` | +| Entrypoint | `/sbin/tini --` | `/sbin/tini --` | +| CMD | `/usr/bin/newrelic-infra-service` | `/usr/bin/newrelic-infra-service` | +| Workdir | not specified | not specified | +| Has apk? | yes | no | +| Has a shell? | yes | no | Check the [tags history page](/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/tags_history/) for the full list of available tags. @@ -98,24 +98,43 @@ The table shows package distribution across variants. | `ncurses-terminfo-base` | X | | | `newrelic-infrastructure-agent` | X | X | | `newrelic-infrastructure-bundle` | X | X | +| `nri-apache` | X | X | | `nri-apache-compat` | X | X | +| `nri-cassandra` | X | X | | `nri-cassandra-compat` | X | X | +| `nri-consul` | X | X | | `nri-consul-compat` | X | X | +| `nri-couchbase` | X | X | | `nri-couchbase-compat` | X | X | +| `nri-discovery-kubernetes` | X | X | | `nri-discovery-kubernetes-compat` | X | X | +| `nri-elasticsearch` | X | X | | `nri-elasticsearch-compat` | X | X | +| `nri-f5` | X | X | | `nri-f5-compat` | X | X | +| `nri-haproxy` | X | X | | `nri-haproxy-compat` | X | X | +| `nri-jmx` | X | X | | `nri-jmx-compat` | X | X | +| `nri-kafka` | X | X | | `nri-kafka-compat` | X | X | +| `nri-memcached` | X | X | | `nri-memcached-compat` | X | X | +| `nri-mongodb` | X | X | | `nri-mongodb-compat` | X | X | +| `nri-mssql` | X | X | | `nri-mssql-compat` | X | X | +| `nri-mysql` | X | X | | `nri-mysql-compat` | X | X | +| `nri-nagios` | X | X | | `nri-nagios-compat` | X | X | +| `nri-nginx` | X | X | | `nri-nginx-compat` | X | X | +| `nri-postgresql` | X | X | | `nri-postgresql-compat` | X | X | +| `nri-rabbitmq` | X | X | | `nri-rabbitmq-compat` | X | X | +| `nri-redis` | X | X | | `nri-redis-compat` | X | X | | `nrjmx` | X | X | | `openjdk-17-jre` | X | X | @@ -126,6 +145,7 @@ The table shows package distribution across variants. | `openssl-config` | X | X | | `p11-kit` | X | X | | `p11-kit-trust` | X | X | +| `tini` | X | X | | `wolfi-baselayout` | X | X | | `xz` | X | X | | `zlib` | X | X | diff --git a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/provenance_info.md index b13b764624..0dce89b6ec 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for newrelic-infrastructure-bundle Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **newrelic-infrastructure-bundle** Chainguard Images are signed using Sigsto The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/newrelic-infrastructure-bundle | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-infrastructure-bundle | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the newreli | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-infrastructure-bundle image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-infrastructure-bundle image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/newrelic-infrastructure-bundle + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-infrastructure-bundle ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/tags_history.md b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/tags_history.md index 5e63654f6f..7f1391e9fe 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/tags_history.md +++ b/content/chainguard/chainguard-images/reference/newrelic-infrastructure-bundle/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the newrelic-infrastructure-bundle Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:56458479d671ce050e4d3147bae89ac71902606a49cf10c4864875d44010ac37` | -| `latest` | November 29th | `sha256:d11f30897ae38eb058af86daba86333a18ab5868a13d14fbf74e6146a039d734` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:993be48ecfb64c08937e51dbae07cb5a24da53392f69b4def578dd91a027e497` | +| `latest` | December 6th | `sha256:f19cf9d80b8570ef5c6fb6732d95945b2d11ece30568fe02a983867597dba254` | diff --git a/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/_index.md b/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/_index.md index 8259f67a46..14a7881fe8 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/_index.md +++ b/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: newrelic-k8s-events-forwarder Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -26,7 +26,7 @@ toc: true -Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastructure-bundle) container image. +Minimal [newrelic-k8s-events-forwarder](https://github.com/newrelic/nri-kubernetes) container image. @@ -34,7 +34,7 @@ Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastruct The image is available on `cgr.dev`: ``` -docker pull cgr.dev/chainguard/newrelic:latest +docker pull cgr.dev/chainguard/newrelic-k8s-events-forwarder:latest ``` diff --git a/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/provenance_info.md index 65475fa893..60907fd794 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for newrelic-k8s-events-forwarder Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **newrelic-k8s-events-forwarder** Chainguard Images are signed using Sigstor The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/newrelic-k8s-events-forwarder | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-k8s-events-forwarder | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the newreli | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-k8s-events-forwarder image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-k8s-events-forwarder image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/newrelic-k8s-events-forwarder + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-k8s-events-forwarder ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/tags_history.md b/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/tags_history.md index dae1fb0652..d4de40f334 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/tags_history.md +++ b/content/chainguard/chainguard-images/reference/newrelic-k8s-events-forwarder/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the newrelic-k8s-events-forwarder Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:74cd531a2925234c78978ad2572c3e6f585dcdc345b5dc599bdd514eb34bfa83` | -| `latest-dev` | November 29th | `sha256:21a8cd748027a6d163898f94646685b0b56ab47d043e027966c1f25c1210dba9` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:5ad6c5a411449b819492af473adade4141caa453894b5f82246a0b9a20d00ac4` | +| `latest` | December 6th | `sha256:517ac9ca2e55c7941d20f8bd3b95347f909e060d670a93966da427d71fc36364` | diff --git a/content/chainguard/chainguard-images/reference/newrelic-kube-events/_index.md b/content/chainguard/chainguard-images/reference/newrelic-kube-events/_index.md index fb12d2b02b..edefbcf009 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-kube-events/_index.md +++ b/content/chainguard/chainguard-images/reference/newrelic-kube-events/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: newrelic-kube-events Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -26,7 +26,7 @@ toc: true -Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastructure-bundle) container image. +Minimal [newrelic-kube-events](https://github.com/newrelic/nri-kube-events) container image. @@ -34,7 +34,7 @@ Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastruct The image is available on `cgr.dev`: ``` -docker pull cgr.dev/chainguard/newrelic:latest +docker pull cgr.dev/chainguard/newrelic-kube-events:latest ``` diff --git a/content/chainguard/chainguard-images/reference/newrelic-kube-events/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-kube-events/provenance_info.md index c189a103f4..b3e6ff710f 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-kube-events/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-kube-events/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for newrelic-kube-events Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **newrelic-kube-events** Chainguard Images are signed using Sigstore, and yo The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/newrelic-kube-events | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-kube-events | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the newreli | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-kube-events image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-kube-events image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/newrelic-kube-events + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-kube-events ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/newrelic-kube-events/tags_history.md b/content/chainguard/chainguard-images/reference/newrelic-kube-events/tags_history.md index a022ac6eca..22ae7a9b5f 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-kube-events/tags_history.md +++ b/content/chainguard/chainguard-images/reference/newrelic-kube-events/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the newrelic-kube-events Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:f02fac23051464b12561c12d3a7addd67099938ed322ec3f36cadb579c90b33f` | -| `latest-dev` | November 29th | `sha256:9b0193b22043829411b3a1077ab488d6f983f877128e6a049fd5b63dbff757a5` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:91ac12ebd95a0173f7e9855356f0e70d88f087bd7a8e0492af7765c29b189eb1` | +| `latest` | December 6th | `sha256:371955eeee51cbb78348ee195fc9e7e1c7a9bc321b23098dc25d50ecd4e5a916` | diff --git a/content/chainguard/chainguard-images/reference/newrelic-kubernetes/_index.md b/content/chainguard/chainguard-images/reference/newrelic-kubernetes/_index.md index bacd911108..21c098632c 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-kubernetes/_index.md +++ b/content/chainguard/chainguard-images/reference/newrelic-kubernetes/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: newrelic-kubernetes Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -26,7 +26,7 @@ toc: true -Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastructure-bundle) container image. +Minimal [newrelic-kubernetes](https://github.com/newrelic/nri-kubernetes) container image. @@ -34,7 +34,7 @@ Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastruct The image is available on `cgr.dev`: ``` -docker pull cgr.dev/chainguard/newrelic:latest +docker pull cgr.dev/chainguard/newrelic-kubernetes:latest ``` diff --git a/content/chainguard/chainguard-images/reference/newrelic-kubernetes/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-kubernetes/provenance_info.md index 494a94befa..992194c7aa 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-kubernetes/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-kubernetes/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for newrelic-kubernetes Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **newrelic-kubernetes** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/newrelic-kubernetes | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-kubernetes | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the newreli | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-kubernetes image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-kubernetes image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/newrelic-kubernetes + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-kubernetes ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/newrelic-kubernetes/tags_history.md b/content/chainguard/chainguard-images/reference/newrelic-kubernetes/tags_history.md index 6fe50722d9..eccffbeffe 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-kubernetes/tags_history.md +++ b/content/chainguard/chainguard-images/reference/newrelic-kubernetes/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the newrelic-kubernetes Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:99cef88e32db044c14ab02d01bf7608e08fd49e8ef466f9a1fb9aca7af3b1acf` | -| `latest` | November 29th | `sha256:35be82fc590e162b716585f26369e6be3ff415f0faad421b35bd8f57f6803706` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:174f6bf557c797a2b4a20a6c629685992c2e7c4729c53b63280ba5de48a747c4` | +| `latest-dev` | December 6th | `sha256:c430ea447fcf77175b35fdc0d5bf1af70a501385672f0759105d5d6a591a82e1` | diff --git a/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/_index.md b/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/_index.md index 99351d8e72..0664e048db 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/_index.md +++ b/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: newrelic-prometheus-configurator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -26,7 +26,7 @@ toc: true -Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastructure-bundle) container image. +Minimal [newrelic-prometheus-configurator](https://github.com/newrelic/newrelic-prometheus-configurator) container image. @@ -34,7 +34,7 @@ Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastruct The image is available on `cgr.dev`: ``` -docker pull cgr.dev/chainguard/newrelic:latest +docker pull cgr.dev/chainguard/newrelic-prometheus-configurator:latest ``` diff --git a/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/provenance_info.md index 4b61765618..3bcf205255 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for newrelic-prometheus-configurator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **newrelic-prometheus-configurator** Chainguard Images are signed using Sigs The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/newrelic-prometheus-configurator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-prometheus-configurator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the newreli | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-prometheus-configurator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-prometheus-configurator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/newrelic-prometheus-configurator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-prometheus-configurator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/tags_history.md b/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/tags_history.md index 9d4ec1436b..9d1d2e88b4 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/newrelic-prometheus-configurator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the newrelic-prometheus-configurator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:0d98e06a925c6d7fd0b89c474d1b3736d2228cf286eac25c2ca7151cf7530730` | -| `latest` | November 29th | `sha256:8ef50a5793ac84950fef6cd676d763b1c5ea61083944541157ec7e57ce7f213c` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:20f1e4d93095ed985a455766e6c2be6c3fa925164a386dfdaf8525968e10501f` | +| `latest` | December 6th | `sha256:64f798ffbd89f897d1dceab739d10e31e81f7dae8441078c6791d5bcd1c42ae9` | diff --git a/content/chainguard/chainguard-images/reference/newrelic-prometheus/_index.md b/content/chainguard/chainguard-images/reference/newrelic-prometheus/_index.md index 4219c272b2..1a6c54aad5 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-prometheus/_index.md +++ b/content/chainguard/chainguard-images/reference/newrelic-prometheus/_index.md @@ -5,12 +5,12 @@ type: "article" layout: "single" description: "Overview: newrelic-prometheus Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] -menu: - docs: +menu: + docs: parent: "images-reference" weight: 500 toc: true @@ -26,7 +26,7 @@ toc: true -Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastructure-bundle) container image. +Minimal [newrelic-prometheus](https://github.com/newrelic/nri-prometheus) container image. @@ -34,7 +34,7 @@ Minimal [newrelic-infrastructure-bundle](https://github.com/newrelic/infrastruct The image is available on `cgr.dev`: ``` -docker pull cgr.dev/chainguard/newrelic:latest +docker pull cgr.dev/chainguard/newrelic-prometheus:latest ``` diff --git a/content/chainguard/chainguard-images/reference/newrelic-prometheus/provenance_info.md b/content/chainguard/chainguard-images/reference/newrelic-prometheus/provenance_info.md index 8acacf290d..aa44fc079e 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-prometheus/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/newrelic-prometheus/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for newrelic-prometheus Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **newrelic-prometheus** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/newrelic-prometheus | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-prometheus | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the newreli | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-prometheus image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the newrelic-prometheus image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/newrelic-prometheus + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/newrelic-prometheus ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/newrelic-prometheus/tags_history.md b/content/chainguard/chainguard-images/reference/newrelic-prometheus/tags_history.md index 241b1bcf63..7b4a17be10 100644 --- a/content/chainguard/chainguard-images/reference/newrelic-prometheus/tags_history.md +++ b/content/chainguard/chainguard-images/reference/newrelic-prometheus/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the newrelic-prometheus Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:6b992c87cbe5df1c17db6edcba487238d236fc6769c0fe32ae41e713136987ea` | -| `latest` | November 29th | `sha256:eb1f817a98b9172f3c2aad2f253f4956b62208be08a6acad0996939f299003f0` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:3db4f1cb97df6270cfbe58f16bb2a5927375cd907289c2ce0700d9d476e177dd` | +| `latest` | December 6th | `sha256:8b072a3b5761622ec9500c7afe10830e7303177c651e33eb4f4d5b0ff6a476a4` | diff --git a/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/provenance_info.md b/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/provenance_info.md index 71007d1384..613e7f10d4 100644 --- a/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for nfs-subdir-external-provisioner Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **nfs-subdir-external-provisioner** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/nfs-subdir-external-provisioner | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nfs-subdir-external-provisioner | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the nfs-sub | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nfs-subdir-external-provisioner image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nfs-subdir-external-provisioner image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/nfs-subdir-external-provisioner + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nfs-subdir-external-provisioner ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/tags_history.md b/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/tags_history.md index d615bca9d4..fa54df55ca 100644 --- a/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/tags_history.md +++ b/content/chainguard/chainguard-images/reference/nfs-subdir-external-provisioner/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the nfs-subdir-external-provisioner Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:eef871c3ae2c124bc28bee41d7022c053923b911dda239997a80a66709363d4b` | -| `latest-dev` | November 29th | `sha256:3066636729b63e8d3616c4c9f6970f290647ed01b5d1ba8b28103f910ad76d81` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:2f3b3a63fa4f04c15f282f826a85d3c84cbcb63a37146920cc2541facd78891c` | +| `latest-dev` | December 6th | `sha256:7ed5229844645b419c0e3340805acbe327e16df102e2753842335658ee76e61b` | diff --git a/content/chainguard/chainguard-images/reference/nginx/provenance_info.md b/content/chainguard/chainguard-images/reference/nginx/provenance_info.md index 7fa6ee3f46..5d3546dba1 100644 --- a/content/chainguard/chainguard-images/reference/nginx/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nginx/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for nginx Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **nginx** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/nginx | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nginx | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the nginx i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nginx image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nginx image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/nginx + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nginx ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/nginx/tags_history.md b/content/chainguard/chainguard-images/reference/nginx/tags_history.md index 5f8a05660c..23563ac193 100644 --- a/content/chainguard/chainguard-images/reference/nginx/tags_history.md +++ b/content/chainguard/chainguard-images/reference/nginx/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the nginx Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:1e7934ac71da780910c7cec5632f095bac0fd9328ae73358df88638b6665a441` | -| `latest` | November 29th | `sha256:49cdd28393a3785a6e0321c97cb8185aae7623c5b40db59db1bb10bbc9b85633` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:94cd367192be5682e56cb29da05009c7f9f70f37cc141e48f0b6aebc0ba6d888` | +| `latest-dev` | December 6th | `sha256:4a99751773e063c5d4daf7e1e3a9149df72a8790b8da5e95303c2172a273455e` | diff --git a/content/chainguard/chainguard-images/reference/node-lts/provenance_info.md b/content/chainguard/chainguard-images/reference/node-lts/provenance_info.md index f9305914e3..85ccb4d9ee 100644 --- a/content/chainguard/chainguard-images/reference/node-lts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/node-lts/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for node-lts Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **node-lts** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/node-lts | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/node-lts | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the node-lt | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the node-lts image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the node-lts image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/node-lts + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/node-lts ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/node-lts/tags_history.md b/content/chainguard/chainguard-images/reference/node-lts/tags_history.md index 78e1450f4c..e41cbe478a 100644 --- a/content/chainguard/chainguard-images/reference/node-lts/tags_history.md +++ b/content/chainguard/chainguard-images/reference/node-lts/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the node-lts Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:d40e810c66fce05225a68aa6350f7365dd258e3f12434d310ff7fc1a308c60f5` | -| `latest` | November 29th | `sha256:5df0da1e1521bcba8549a1bd765934055f15250fe607a7122cd2ada033b9a4f6` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:4c2badaf3c8c317fbacf5bad438d7254aaf83e92d7eea3b897a7ec8347cd376c` | +| `latest` | December 6th | `sha256:94e98ec8f33fb52a0291367c8d871c7d09b6daea8209226e51258b0b7c4bce05` | diff --git a/content/chainguard/chainguard-images/reference/node-problem-detector/provenance_info.md b/content/chainguard/chainguard-images/reference/node-problem-detector/provenance_info.md index a32ece029e..3dce9c04fc 100644 --- a/content/chainguard/chainguard-images/reference/node-problem-detector/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/node-problem-detector/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for node-problem-detector Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **node-problem-detector** Chainguard Images are signed using Sigstore, and y The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/node-problem-detector | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/node-problem-detector | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the node-pr | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the node-problem-detector image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the node-problem-detector image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/node-problem-detector + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/node-problem-detector ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/node-problem-detector/tags_history.md b/content/chainguard/chainguard-images/reference/node-problem-detector/tags_history.md index 3e56d56b79..c4d38b14e3 100644 --- a/content/chainguard/chainguard-images/reference/node-problem-detector/tags_history.md +++ b/content/chainguard/chainguard-images/reference/node-problem-detector/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the node-problem-detector Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:f3f54334697b34458d1310a2fd7bad95c67094c1c6e2523b9d53b14d792f8c44` | -| `latest-dev` | November 29th | `sha256:d62958e5edf0b468a0b275d10a5b975efe80e40e8f8cbababbbe0abec039f88a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:587dbba6a549f5b438577b45823c275aacf0ae0b2c96e0168e697a397e5050f3` | +| `latest-dev` | December 6th | `sha256:2ce9282ca9b99dd07b30a1563465b0ddb223e52b4e0b713349b18c67f3918697` | diff --git a/content/chainguard/chainguard-images/reference/node/provenance_info.md b/content/chainguard/chainguard-images/reference/node/provenance_info.md index 6b7e4ca88a..2f37778721 100644 --- a/content/chainguard/chainguard-images/reference/node/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/node/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for node Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **node** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/node | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/node | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the node im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the node image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the node image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/node + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/node ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/node/tags_history.md b/content/chainguard/chainguard-images/reference/node/tags_history.md index f124aad640..dde253d69d 100644 --- a/content/chainguard/chainguard-images/reference/node/tags_history.md +++ b/content/chainguard/chainguard-images/reference/node/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the node Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:3dc881d087152f363964f3a52e9a086858ff0be5d45a34cf1393df81b9dc4aa7` | -| `latest` | November 29th | `sha256:3d2f35cf5b04a849d028520b14e92bb37b81208c7c404ca48824cabac75bf807` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:509f6709ee63b3b914af635517fd392bd2d508a6a76013cfafcb406ad494a88a` | +| `latest` | December 6th | `sha256:71edad479d330985d95375326f9cccb03405f237a624eb23770d208a176929fa` | diff --git a/content/chainguard/chainguard-images/reference/nodetaint/provenance_info.md b/content/chainguard/chainguard-images/reference/nodetaint/provenance_info.md index a7e6cda967..5ec9d00338 100644 --- a/content/chainguard/chainguard-images/reference/nodetaint/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nodetaint/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for nodetaint Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **nodetaint** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/nodetaint | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nodetaint | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the nodetai | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nodetaint image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nodetaint image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/nodetaint + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nodetaint ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/nodetaint/tags_history.md b/content/chainguard/chainguard-images/reference/nodetaint/tags_history.md index fa1d807c4c..ff3a052bd7 100644 --- a/content/chainguard/chainguard-images/reference/nodetaint/tags_history.md +++ b/content/chainguard/chainguard-images/reference/nodetaint/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the nodetaint Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:1e16108e54f1453a30a9ce59830a48b361f429d51d0d44a3f2bfd883910ef184` | -| `latest` | November 29th | `sha256:e65518121350c229b2cf9e4f7f579368197799419ad627ca5c2a0fe753f728a6` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:56736a49c8ed1db51f4ccb6f1c3e2fd8f033c237400c3615f891bb7d08ec62c6` | +| `latest-dev` | December 6th | `sha256:18782903227e6fe4eab11be90e35a4dae896271577ef3694fab2e515787eb1bd` | diff --git a/content/chainguard/chainguard-images/reference/ntia-conformance-checker/provenance_info.md b/content/chainguard/chainguard-images/reference/ntia-conformance-checker/provenance_info.md index 8e29e8b64e..38edc2ef4b 100644 --- a/content/chainguard/chainguard-images/reference/ntia-conformance-checker/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ntia-conformance-checker/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for ntia-conformance-checker Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **ntia-conformance-checker** Chainguard Images are signed using Sigstore, an The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/ntia-conformance-checker | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ntia-conformance-checker | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the ntia-co | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ntia-conformance-checker image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ntia-conformance-checker image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/ntia-conformance-checker + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ntia-conformance-checker ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/ntia-conformance-checker/tags_history.md b/content/chainguard/chainguard-images/reference/ntia-conformance-checker/tags_history.md index 65fccc35d5..87b56baa2a 100644 --- a/content/chainguard/chainguard-images/reference/ntia-conformance-checker/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ntia-conformance-checker/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the ntia-conformance-checker Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:bddfc944250079581eb46c19b7a41e025fde0febc228b91b4670401d70962417` | -| `latest-dev` | November 29th | `sha256:a19aec68fe9d158b8d2d002bafdf26e45c97bc599500ce18c5fd160efa3983a9` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:c073240e6a0d2dc498ef5523392c7966df6e43274a7ec2c42ec26915f6976d46` | +| `latest` | December 6th | `sha256:534c3b499efbcc4a8662ab39889ad8fe40d4fc1a4feef4f01d24bfce610eec23` | diff --git a/content/chainguard/chainguard-images/reference/ntpd-rs/provenance_info.md b/content/chainguard/chainguard-images/reference/ntpd-rs/provenance_info.md index a7d75f4b79..df4d185e7e 100644 --- a/content/chainguard/chainguard-images/reference/ntpd-rs/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ntpd-rs/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for ntpd-rs Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **ntpd-rs** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/ntpd-rs | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ntpd-rs | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the ntpd-rs | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ntpd-rs image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ntpd-rs image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/ntpd-rs + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ntpd-rs ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/ntpd-rs/tags_history.md b/content/chainguard/chainguard-images/reference/ntpd-rs/tags_history.md index 07da1efee4..a6a3eeb866 100644 --- a/content/chainguard/chainguard-images/reference/ntpd-rs/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ntpd-rs/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the ntpd-rs Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:5fd6b98be36281b07e734d4a16cf48a1cab4bb865fd5d7792b2fa6374c00d776` | -| `latest` | November 29th | `sha256:95577f71d3574fbd81a691af3750a7d511109c50b8e7ad5cac1faec01f223498` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:7b9ee6f2faeeea324e95a67b3434cc3cb383e5a7b0eb99db2d97ee6686945a20` | +| `latest-dev` | December 6th | `sha256:518950b296703e7d58d7b5266885503f44bbd9bd8f6f6c623fe24aae1e685663` | diff --git a/content/chainguard/chainguard-images/reference/nvidia-device-plugin/provenance_info.md b/content/chainguard/chainguard-images/reference/nvidia-device-plugin/provenance_info.md index 353f992756..897c0ffccc 100644 --- a/content/chainguard/chainguard-images/reference/nvidia-device-plugin/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/nvidia-device-plugin/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for nvidia-device-plugin Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **nvidia-device-plugin** Chainguard Images are signed using Sigstore, and yo The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/nvidia-device-plugin | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nvidia-device-plugin | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the nvidia- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nvidia-device-plugin image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the nvidia-device-plugin image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/nvidia-device-plugin + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/nvidia-device-plugin ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/nvidia-device-plugin/tags_history.md b/content/chainguard/chainguard-images/reference/nvidia-device-plugin/tags_history.md index 38d4369c13..1f9c08a396 100644 --- a/content/chainguard/chainguard-images/reference/nvidia-device-plugin/tags_history.md +++ b/content/chainguard/chainguard-images/reference/nvidia-device-plugin/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the nvidia-device-plugin Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3cbc441e8b7ae9bea384bc1cd40ff96f00eca09502b73555278ca394e1d18621` | -| `latest-dev` | November 29th | `sha256:e19c2edbef8e1c6d89e18dc89e2f59448e7f56a9d6423e6afef7c4a8a9cb412b` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:04b86495a0f037fad092f6bc98fd5f0d10ce6212e0ff7549af955ee36ce64b62` | +| `latest-dev` | December 6th | `sha256:256d37030dd255bc19965804fd7b5166032a0ba549f4a0c1a733f7d1a16669d4` | diff --git a/content/chainguard/chainguard-images/reference/oauth2-proxy/provenance_info.md b/content/chainguard/chainguard-images/reference/oauth2-proxy/provenance_info.md index 07263bfc4b..e8bf5ac113 100644 --- a/content/chainguard/chainguard-images/reference/oauth2-proxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/oauth2-proxy/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for oauth2-proxy Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **oauth2-proxy** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/oauth2-proxy | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/oauth2-proxy | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the oauth2- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the oauth2-proxy image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the oauth2-proxy image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/oauth2-proxy + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/oauth2-proxy ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/oauth2-proxy/tags_history.md b/content/chainguard/chainguard-images/reference/oauth2-proxy/tags_history.md index e786346819..9afa95b3ef 100644 --- a/content/chainguard/chainguard-images/reference/oauth2-proxy/tags_history.md +++ b/content/chainguard/chainguard-images/reference/oauth2-proxy/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the oauth2-proxy Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ae2a746b4aa3a4917f2f107e5e1b39c11385024c86e05c20bcc4de6170c8d061` | -| `latest-dev` | November 29th | `sha256:77f996465b02466828159f6cfb97b74d29208f60786bcfdf217b57d42e07b76f` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:461d42049f2ddaad4805dd13eba23afa0964a7bcf13b30e06109ba456b7ea670` | +| `latest-dev` | December 6th | `sha256:004027ea591312688cdf442571bd4655d15b2449b18c61cd6f12c5c329c720af` | diff --git a/content/chainguard/chainguard-images/reference/openai/provenance_info.md b/content/chainguard/chainguard-images/reference/openai/provenance_info.md index fbfcfdc40b..c35d70f802 100644 --- a/content/chainguard/chainguard-images/reference/openai/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/openai/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for openai Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **openai** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/openai | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/openai | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the openai | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the openai image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the openai image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/openai + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/openai ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/openai/tags_history.md b/content/chainguard/chainguard-images/reference/openai/tags_history.md index edef346f95..a1b2cceb3d 100644 --- a/content/chainguard/chainguard-images/reference/openai/tags_history.md +++ b/content/chainguard/chainguard-images/reference/openai/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the openai Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d29398c24bd564d3ffd8f39491359ff62c1ca6fe01caca9e8b7360d3600a3de4` | -| `latest-dev` | November 29th | `sha256:64ff9e9dfbd9e92855e02745408b514c344d3aefb144cab0505940cc50f5cee9` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:4a32b26b5a71f1982c1a4f90878f5dca2d097b7cb438d6f02b2e81be143739b9` | +| `latest-dev` | December 6th | `sha256:e0210a84ad0c7509ee11df41fc9bafeba777e2e5da74f5861d5499ecae8f5ae3` | diff --git a/content/chainguard/chainguard-images/reference/opensearch/provenance_info.md b/content/chainguard/chainguard-images/reference/opensearch/provenance_info.md index fe4cad200d..41d850bda8 100644 --- a/content/chainguard/chainguard-images/reference/opensearch/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/opensearch/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for opensearch Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **opensearch** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/opensearch | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/opensearch | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the opensea | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the opensearch image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the opensearch image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/opensearch + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/opensearch ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/opensearch/tags_history.md b/content/chainguard/chainguard-images/reference/opensearch/tags_history.md index b0e1dc9d7f..15347ff3d6 100644 --- a/content/chainguard/chainguard-images/reference/opensearch/tags_history.md +++ b/content/chainguard/chainguard-images/reference/opensearch/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the opensearch Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:0b356ebb5a23be095b589504d8279d868ff136749cefeb171df8f848e3aca3da` | -| `latest` | November 29th | `sha256:61e1d6bd5a304cbc7ae6e357d88fc7ef44765e9513483018dc9174003c75d582` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:e9a34644800acfcbb832b4040efa422040051610c3705fd10612d9b19a425e30` | +| `latest` | December 6th | `sha256:ebe8a2992eba7ce1ba1a24a9373a8dafee37e84dec024ad77513e8177a1ddc79` | diff --git a/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/provenance_info.md b/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/provenance_info.md index 1fa7b25e80..02d9c15671 100644 --- a/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for opentelemetry-collector-contrib Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **opentelemetry-collector-contrib** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/opentelemetry-collector-contrib | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/opentelemetry-collector-contrib | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the opentel | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the opentelemetry-collector-contrib image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the opentelemetry-collector-contrib image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/opentelemetry-collector-contrib + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/opentelemetry-collector-contrib ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/tags_history.md b/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/tags_history.md index 276ee6b6ca..f962de69fd 100644 --- a/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/tags_history.md +++ b/content/chainguard/chainguard-images/reference/opentelemetry-collector-contrib/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the opentelemetry-collector-contrib Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:bc5fc2ade606f4a907b5895b8b921bbf26b7dd1d7472d52c2fc39455810cd797` | -| `latest` | November 29th | `sha256:3787404209eb54420298d9f4c7050dbfd05706889d4353a5bb8de9c5329da0d0` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:ff0143af5332aba8bb046421346f3ada5ed5a9a75aad5b6d89ba6fdb1545a57a` | +| `latest` | December 6th | `sha256:68668fa254e5cdd4399c7a9180b74687716bbf15b144f1b258e8a97c13e56c1f` | diff --git a/content/chainguard/chainguard-images/reference/opentofu/provenance_info.md b/content/chainguard/chainguard-images/reference/opentofu/provenance_info.md index 4d975273f9..5d7f28acf8 100644 --- a/content/chainguard/chainguard-images/reference/opentofu/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/opentofu/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for opentofu Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **opentofu** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/opentofu | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/opentofu | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the opentof | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the opentofu image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the opentofu image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/opentofu + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/opentofu ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/opentofu/tags_history.md b/content/chainguard/chainguard-images/reference/opentofu/tags_history.md index 016a50a183..ec75c9ebc8 100644 --- a/content/chainguard/chainguard-images/reference/opentofu/tags_history.md +++ b/content/chainguard/chainguard-images/reference/opentofu/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the opentofu Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:61c303d0bd3d7896b40e8de30dd832da1487f869575b91b6929a2e4d04e257cf` | -| `latest-dev` | November 29th | `sha256:e1414cf27feda7726d2963c7163339ae17e7c528d2dd075f6e4d3fba847149a2` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:26125f097e4b5f0e5c2945ff4ab581fe30d3b0bd859e4e77884ff0940cb531b5` | +| `latest` | December 6th | `sha256:8ba648cfeff7e365f01e6f5359d8a8d98c60c3945d6eacae54b63d8e691ed619` | diff --git a/content/chainguard/chainguard-images/reference/paranoia/provenance_info.md b/content/chainguard/chainguard-images/reference/paranoia/provenance_info.md index e766311f62..f150c0a7ec 100644 --- a/content/chainguard/chainguard-images/reference/paranoia/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/paranoia/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for paranoia Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **paranoia** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/paranoia | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/paranoia | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the paranoi | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the paranoia image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the paranoia image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/paranoia + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/paranoia ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/paranoia/tags_history.md b/content/chainguard/chainguard-images/reference/paranoia/tags_history.md index 68c1114cd9..2e64bd9824 100644 --- a/content/chainguard/chainguard-images/reference/paranoia/tags_history.md +++ b/content/chainguard/chainguard-images/reference/paranoia/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the paranoia Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:bd30de04c95bf09e8351be0c6ab7ffa061f5df86c5726facabdfabcc9d809371` | -| `latest` | October 30th | `sha256:1d8e7c07c94e3c3702a1fcb998965fc0cc26d77bdc16083572ab02c7d4f163b7` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:8dc3643a2d8c54dffbefd2da4a30f711c4b78b8794f69d951a0404c6d635f0eb` | +| `latest` | December 6th | `sha256:416ce6a8205ecfcf1c6af33c2157cde9e3dcf13143fad738dab58b0472484880` | diff --git a/content/chainguard/chainguard-images/reference/pgbouncer/provenance_info.md b/content/chainguard/chainguard-images/reference/pgbouncer/provenance_info.md index ef12e7ac86..f5ee62141d 100644 --- a/content/chainguard/chainguard-images/reference/pgbouncer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/pgbouncer/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for pgbouncer Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **pgbouncer** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/pgbouncer | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/pgbouncer | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the pgbounc | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the pgbouncer image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the pgbouncer image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/pgbouncer + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/pgbouncer ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/pgbouncer/tags_history.md b/content/chainguard/chainguard-images/reference/pgbouncer/tags_history.md index 60d8dfc788..522265ade6 100644 --- a/content/chainguard/chainguard-images/reference/pgbouncer/tags_history.md +++ b/content/chainguard/chainguard-images/reference/pgbouncer/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the pgbouncer Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:0806e46867048db2d2977fb2e8d11a18e4097f73a24cbd3138ae32a2fb380403` | -| `latest-dev` | November 29th | `sha256:4fdf327a5f8850ba470d6759ce5c4863889af7375d20df76a05ce4f64ca0b9a2` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:85551063afb357a396aabd3a63773f385ef7f7f9becd06e4ca99093725227a24` | +| `latest` | December 6th | `sha256:9b323450235e46c858667f185a64f7463940cb3ec63d81cb1326ac9a3d258c21` | diff --git a/content/chainguard/chainguard-images/reference/php/provenance_info.md b/content/chainguard/chainguard-images/reference/php/provenance_info.md index 3606398860..cf1f3ddba0 100644 --- a/content/chainguard/chainguard-images/reference/php/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/php/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for php Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **php** Chainguard Images are signed using Sigstore, and you can check the i The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/php | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/php | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the php ima | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the php image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the php image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/php + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/php ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/php/tags_history.md b/content/chainguard/chainguard-images/reference/php/tags_history.md index dd81cdc086..8c52393b5f 100644 --- a/content/chainguard/chainguard-images/reference/php/tags_history.md +++ b/content/chainguard/chainguard-images/reference/php/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the php Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,10 +23,10 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-------------------|---------------|---------------------------------------------------------------------------| -| `latest-fpm-dev` | November 29th | `sha256:f3859d79222c6e044fa8a2bf8c464d0189dd74259d399f5b52fdcbfa19877419` | -| `latest-fpm` | November 29th | `sha256:8b89c3005b61d5240b9bea3b62b3f4d9b4ab876d46ea326be742a440edb91811` | -| `latest-dev` | November 29th | `sha256:a6368dd700d6474691eda19941645283be1bc02dc75fa9aa1988e686d5123219` | -| `latest` | November 29th | `sha256:e00ff68f0cdcfc75c8724a734534b33663e346cfd8bc3ab89b672392561fd23b` | +| Tag (s) | Last Changed | Digest | +|-------------------|--------------|---------------------------------------------------------------------------| +| `latest-fpm` | December 6th | `sha256:b455d2cbcac8c1398a195383ef63d723e4e2c4bbdf668494b1ba1612d4583fda` | +| `latest-fpm-dev` | December 6th | `sha256:d0d90e8d4cd594ec0782f45a187bc76216608a2d27f946a7b17d5a7c2c246417` | +| `latest` | December 6th | `sha256:3799d818ca54a412031eb88723c68e16c9e143ae2e6067e5766739e985dcf5eb` | +| `latest-dev` | December 6th | `sha256:946f2c5b8b029ba9dd9b779bad573dddf2d8a608affc8d75b554aca125b2e4d0` | diff --git a/content/chainguard/chainguard-images/reference/postgres/provenance_info.md b/content/chainguard/chainguard-images/reference/postgres/provenance_info.md index 413ce2a571..df9805b941 100644 --- a/content/chainguard/chainguard-images/reference/postgres/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/postgres/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for postgres Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **postgres** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/postgres | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/postgres | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the postgre | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the postgres image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the postgres image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/postgres + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/postgres ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/postgres/tags_history.md b/content/chainguard/chainguard-images/reference/postgres/tags_history.md index eee9f1c0a7..825ec9560a 100644 --- a/content/chainguard/chainguard-images/reference/postgres/tags_history.md +++ b/content/chainguard/chainguard-images/reference/postgres/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the postgres Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:cb68c7b603e3dad60cfcc203426831cc303b807388683f7fbff04bb5016446ac` | -| `latest` | November 29th | `sha256:75e98f14ae69788bce931ac6e22cb14e648d6aaaa479c46ee676a8e839886eef` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:f99fb49ced296c476cec57f415db97ea58c60579a65796651785712616f5f021` | +| `latest` | December 6th | `sha256:160cbf387cacf5a5db0e312ffb59e18b02b48e79d2599a1604fd7a99a154c87c` | diff --git a/content/chainguard/chainguard-images/reference/powershell/provenance_info.md b/content/chainguard/chainguard-images/reference/powershell/provenance_info.md index b1a9cc5fa4..1ca79ab63a 100644 --- a/content/chainguard/chainguard-images/reference/powershell/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/powershell/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for powershell Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **powershell** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/powershell | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/powershell | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the powersh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the powershell image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the powershell image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/powershell + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/powershell ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/powershell/tags_history.md b/content/chainguard/chainguard-images/reference/powershell/tags_history.md index 91a0d7c0d7..6281420345 100644 --- a/content/chainguard/chainguard-images/reference/powershell/tags_history.md +++ b/content/chainguard/chainguard-images/reference/powershell/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the powershell Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|------------------------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:abd2935897b3b48f22e34747b822c4e8f97d0ea0054476ab0fa11786347cefac` | -| `latest-root` `root-latest` | November 29th | `sha256:8193cdf01fddc643b9ab4e83433893cb1e68427f0d53b30fa05a8cd98779ed77` | +| Tag (s) | Last Changed | Digest | +|------------------------------|--------------|---------------------------------------------------------------------------| +| `latest-root` `root-latest` | December 6th | `sha256:de38fe4054640f0814911b5665ce5a2d542e1c625014ec49d60294694f1c30bd` | +| `latest` | December 6th | `sha256:23b354697cb0e58fc27ec8d3051c4ff436ef1ac814330d175dd2ebaeeed1bceb` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-adapter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-adapter/provenance_info.md index 9b541ab52d..0d479cf979 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-adapter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-adapter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-adapter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-adapter** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-adapter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-adapter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-adapter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-adapter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-adapter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-adapter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-adapter/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-adapter/tags_history.md index d272a93995..f76985f484 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-adapter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-adapter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-adapter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:46390682785b494c344a685657235ab5e127f4844d170bb20580b046bf5ac130` | -| `latest` | November 29th | `sha256:7bfee78a9c6119eb577fb1701a13363a270f1246e9bb1bb2a960335b265c5cb0` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:b3f9863f1f3d89c2ff40c6923975d53fcbcd3f36be8d0790220fdd1722159653` | +| `latest` | December 6th | `sha256:d790f65d6550f568dcc501a3b55bf04d1be81620cc184efa3d21bb2393431cf1` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-alertmanager/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-alertmanager/provenance_info.md index e03dffee75..26d2782156 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-alertmanager/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-alertmanager/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-alertmanager Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-alertmanager** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-alertmanager | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-alertmanager | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-alertmanager image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-alertmanager image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-alertmanager + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-alertmanager ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-alertmanager/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-alertmanager/tags_history.md index 1af1e8222e..bcdae91eb3 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-alertmanager/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-alertmanager/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-alertmanager Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:7d2289cefe1082938bef05a59ec0798f9d37968d26c9446f9304c7ba5f7e72c6` | -| `latest` | November 29th | `sha256:bd2d9d63751063156efb24e2d1ccba0a78f2173873068d9ebfef34587d4428d7` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:87ca7500aa51a9b7ac3426e26efc2ef5491d85a7313ba0ebabb308585d656fb9` | +| `latest-dev` | December 6th | `sha256:43cb614f858884fc449a4f1df22fdeaf2b973bc064ea60bb6694378677fac050` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/provenance_info.md index f4e5b1c7b2..7f8d0461d5 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-cloudwatch-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-cloudwatch-exporter** Chainguard Images are signed using Sigsto The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-cloudwatch-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-cloudwatch-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-cloudwatch-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-cloudwatch-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-cloudwatch-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-cloudwatch-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/tags_history.md index 602c93d685..f4cb2d918f 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-cloudwatch-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-cloudwatch-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:5d06f1169789b4dfa6bf1a81a8f8893149cdce08e4c03438b377444370b22765` | -| `latest-dev` | November 29th | `sha256:daa939a769bdf7ac6a506f635965bde27b362fd1f20b0fe3f21a1b2a72398279` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:60d1508ec347c18e5619bd900999189f52a302b553b7a34b45465378544946aa` | +| `latest-dev` | December 6th | `sha256:376206b200799366659a5fde29f5b8579751784e40cee87ed0a39d1065ef8ea8` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-config-reloader/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-config-reloader/provenance_info.md index a4b757c201..f3ea74b70c 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-config-reloader/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-config-reloader/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-config-reloader Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-config-reloader** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-config-reloader | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-config-reloader | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-config-reloader image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-config-reloader image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-config-reloader + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-config-reloader ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-config-reloader/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-config-reloader/tags_history.md index cd7b0cfd0a..b17df01457 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-config-reloader/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-config-reloader/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-config-reloader Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:e049e573d9e454095608c740b8494708631c3cde0e11f761dbac844f36950718` | -| `latest-dev` | November 29th | `sha256:ee8a715c15fbf27abfa5da72b6d053c7b77e18399c19326f57b47ce9857f567f` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:a8b77d6900139adae3025e2963f15f33875e213af9416aa579031baa84604a44` | +| `latest-dev` | December 6th | `sha256:b943165cd6fe26f4c9613c0dcab5d420cc458e5ac785e51f401ef633788a3176` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/provenance_info.md index 6f67c46d4e..ed07cdb35b 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-elasticsearch-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-elasticsearch-exporter** Chainguard Images are signed using Sig The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-elasticsearch-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-elasticsearch-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-elasticsearch-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-elasticsearch-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-elasticsearch-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-elasticsearch-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/tags_history.md index 10b9ffd746..0190cf2223 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-elasticsearch-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-elasticsearch-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:54f9ad2e543d45b2553accd5947603e94c33a6af78e2ad2450711f3e174fb388` | -| `latest-dev` | November 29th | `sha256:cbda46d69cb6b2834f7de73a2dc86f3d3df6d963eb841a7a54e018c1674e3a41` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:7186b8728fc1d55c65f06bf6d2a4e7da8ff496302519715c356e81657c539869` | +| `latest-dev` | December 6th | `sha256:ae42f692aa370f63f01e4c4810918b174343dd3cff458aaf61d564de3050d7f0` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/provenance_info.md index 771bb30388..33fa5d77da 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-mongodb-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-mongodb-exporter** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-mongodb-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-mongodb-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-mongodb-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-mongodb-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-mongodb-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-mongodb-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/tags_history.md index 4f5c253b87..8a215c3d78 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-mongodb-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-mongodb-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:626822bcfc708de8f2fbfd1fd90612d388ab155a72f7a74a5020382e6f943c4c` | -| `latest` | November 29th | `sha256:aee05be5113e4ca02e425ba9ecd15991d8eecf0f6255b84cbd5b9349080bf218` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:62dc2f66b494525092a6302b4aced52190bccc30571035a231d5d0961987cc13` | +| `latest-dev` | December 6th | `sha256:02efd3c2f1c1df67fb8d6b880192b5f3c9899eabba1d8a7c860f10c25bfbc649` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/provenance_info.md index 64726428db..4ab4349053 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-mysqld-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-mysqld-exporter** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-mysqld-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-mysqld-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-mysqld-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-mysqld-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-mysqld-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-mysqld-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/tags_history.md index d83acc4d6d..f46248613b 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-mysqld-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-mysqld-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:99a764770e3aa3a15c11465e22f4714fe77c9c401785785de1d39388edae7106` | -| `latest` | November 29th | `sha256:32b3092ba34091142720bf100aa072654ce77d4bed5d5f5c7927817ce3a34314` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:ab1f5f66434ba48b8cbccb029a3b6165efe5c78f8d5dfce430195109868a18cf` | +| `latest-dev` | December 6th | `sha256:8f46c768a8bcf7cb9f37af5e2e862fa6592e4827342a387c090ca7e1d3b00d7b` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-node-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-node-exporter/provenance_info.md index d091eee838..c839c607f5 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-node-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-node-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-node-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-node-exporter** Chainguard Images are signed using Sigstore, an The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-node-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-node-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-node-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-node-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-node-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-node-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-node-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-node-exporter/tags_history.md index f2c60fcc74..ce37afc1a5 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-node-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-node-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-node-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:644123ba8682d174b80374411afe874169c61e36a967da97c20ad1e25aed7c1b` | -| `latest-dev` | November 29th | `sha256:0d841db4f0a24b7b7b456ce0137800ec740787ad4c8bf6000c3ae79eaa6c6b6a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:e152a8e9f314b6ed81146158b45c31fb43067926a0355c97423fb06d6db58d19` | +| `latest` | December 6th | `sha256:0b050408b4d529b12149b9504974f2a5c7ea9790a7bf4e5dc013826c3b8de601` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-operator/provenance_info.md index af56c517ff..8b993f6d84 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-operator** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-operator/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-operator/tags_history.md index 1a26eaa751..81b3baf1bb 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:9767aea200a379749c62567816f1d3c5367e1ed121a514d2a3c318dd91cf80c7` | -| `latest` | November 29th | `sha256:0100a21894567796f3607d7e7547c0622e6f77e8662c2937d39d768845fde6c1` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:23ca9bd7d5610d7f88b328dac9f946305efe70298bd00ef4d81ea229ff94832e` | +| `latest` | December 6th | `sha256:3d5596442ca977fffb39b0bd7e13f712a806e70a985a55d6b80897314f6dc23e` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/provenance_info.md index 3dd5bdf99c..3415824f9f 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-postgres-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-postgres-exporter** Chainguard Images are signed using Sigstore The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-postgres-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-postgres-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-postgres-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-postgres-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-postgres-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-postgres-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/tags_history.md index bc8e380249..026b06f453 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-postgres-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-postgres-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:4094eb70be3fd1e17ee59f78f096b2ff7dc2f7413df4ddf3d8f03d3e418d5634` | -| `latest` | November 29th | `sha256:a16c29cd6f326bf67f1079467e4ccd80c476898002e04ff19a99950a054f82ce` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:d4c4fc70387ed0f3d09e6a2f55632c3f0afc0391e8cc634096fc4e9ec95a4d78` | +| `latest-dev` | December 6th | `sha256:62ac33ee852a0a38773bd668184b030420cc269d920ece49ae50f14a45d8c83e` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/provenance_info.md index 6db59d1caf..aecb7f570a 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-pushgateway-bitnami Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-pushgateway-bitnami** Chainguard Images are signed using Sigsto The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-pushgateway-bitnami | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-pushgateway-bitnami | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-pushgateway-bitnami image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-pushgateway-bitnami image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-pushgateway-bitnami + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-pushgateway-bitnami ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/tags_history.md index 2b6877c033..27b440f9e7 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-pushgateway-bitnami/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-pushgateway-bitnami Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:42f54f1d33274b2c8838ee1b99064883d95b96a020c71837dac5fffb5f05affc` | -| `latest-dev` | November 29th | `sha256:e93c50b41ae498a8d3749b62cfc76724022ea5c3e2e5b4ed792f49bfed38b554` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:24419149bf922a2f00e5d8c7db8bea7c7f89fd5ca465f08bce2f2ca917b4ba0f` | +| `latest-dev` | December 6th | `sha256:4b02265e5b44673afa9538043f99003f9b6a4c33ad237934f7bf97d1f746b644` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-pushgateway/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-pushgateway/provenance_info.md index 437f758563..0b3afedbdf 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-pushgateway/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-pushgateway/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-pushgateway Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-pushgateway** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-pushgateway | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-pushgateway | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-pushgateway image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-pushgateway image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-pushgateway + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-pushgateway ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-pushgateway/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-pushgateway/tags_history.md index fa14a7e29f..44c2925c8a 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-pushgateway/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-pushgateway/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-pushgateway Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:ea0735a67e5c2935402281f7df48de79e7c2fd0eefb9c8f7e94fa79aa216ba9c` | -| `latest` | November 29th | `sha256:ad3635dc5e47deba0b2317bd8aaf71fbc0d7f58850cc28549431843eb9b884b2` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:b2b8f11f4a5512e5c9b8c211deab453743df69349d4fe19e8f69cd1b364bc823` | +| `latest` | December 6th | `sha256:a5b0217e3bb5cfc07abfc3bb15cfe603e694527e71dddc0c094a8d9412d98c34` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/provenance_info.md index 9502ba8df1..84087e6ad5 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-redis-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-redis-exporter** Chainguard Images are signed using Sigstore, a The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-redis-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-redis-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-redis-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-redis-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-redis-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-redis-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/tags_history.md index b85253cad5..dfa71736a8 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-redis-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-redis-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:71ed180a294a8d0749238d451dcdd6ab6d65e939907ff4db176da1ad83f8a7f6` | -| `latest` | November 29th | `sha256:985ebd3d18db3cdb899db8054c80c24fd7730d78ae97e596f0f1d26e40c642f0` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:88761941e468d474d6d057cf9e0c8aa5379ab535615e53a142da9f094e583332` | +| `latest-dev` | December 6th | `sha256:2eb1f626a1d327457a072647533c176a0a2bdd3f1a4451af94a3cacb326161d1` | diff --git a/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/provenance_info.md index 3ce33cf331..387a35830c 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus-statsd-exporter Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus-statsd-exporter** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus-statsd-exporter | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-statsd-exporter | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-statsd-exporter image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus-statsd-exporter image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus-statsd-exporter + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus-statsd-exporter ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/tags_history.md index 2e5c022459..23ac5dcbb2 100644 --- a/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus-statsd-exporter/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus-statsd-exporter Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:b982a191ea823686e454452f65ab8a4be2c5923c51baa17203b25e4076bc9379` | -| `latest` | October 30th | `sha256:9b326b6405586397ad93e1af8b2b90bf349bd8241a1a94058eabe93259da165a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:a4b244dd449d13efb39851d188a8e3b8a816912b2586f79c63a354afd04ab221` | +| `latest` | December 6th | `sha256:24f7037bde0d991bc269606772590a5764ec570f66925943a938711325228aac` | diff --git a/content/chainguard/chainguard-images/reference/prometheus/provenance_info.md b/content/chainguard/chainguard-images/reference/prometheus/provenance_info.md index a99b49d061..f8905c1f00 100644 --- a/content/chainguard/chainguard-images/reference/prometheus/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/prometheus/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for prometheus Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **prometheus** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/prometheus | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the prometh | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the prometheus image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/prometheus + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/prometheus ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/prometheus/tags_history.md b/content/chainguard/chainguard-images/reference/prometheus/tags_history.md index 557739578d..9e66adb1ee 100644 --- a/content/chainguard/chainguard-images/reference/prometheus/tags_history.md +++ b/content/chainguard/chainguard-images/reference/prometheus/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the prometheus Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:41ac8f1c101d6d253a4674bf2e83683908e0cea28fe3c490f0463ba8dc9645ca` | -| `latest` | November 29th | `sha256:3e7e7500dbd2f957f7ae0ad5c05edd00d29de2bfd480f8370f2001526a30f4ec` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:0c1680240fba2b21edaee03c0887ce14ee1cd6845cbe4562144c0cf10fed27f8` | +| `latest` | December 6th | `sha256:2d2786274d6378c1f31402e33fda68753af29d77338002d2a1bd77b0cefbab27` | diff --git a/content/chainguard/chainguard-images/reference/promtail/provenance_info.md b/content/chainguard/chainguard-images/reference/promtail/provenance_info.md index fa73660a7d..31e05af542 100644 --- a/content/chainguard/chainguard-images/reference/promtail/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/promtail/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for promtail Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **promtail** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/promtail | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/promtail | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the promtai | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the promtail image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the promtail image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/promtail + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/promtail ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/promtail/tags_history.md b/content/chainguard/chainguard-images/reference/promtail/tags_history.md index 3f4054ebd2..9775687872 100644 --- a/content/chainguard/chainguard-images/reference/promtail/tags_history.md +++ b/content/chainguard/chainguard-images/reference/promtail/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the promtail Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:75aa06adf2f92aedca8233ffd7915a2e76003c50ad22ccffd6af893ffd3054a3` | -| `latest` | November 29th | `sha256:050d6a7dc7f76e2679dc0295ad763b26af7042b9ed4ca88aecf1a9a712495103` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:4e8005ab6023717e455c2e24f41fb3192330b535aaa8a1a1f6614ff0d5b94993` | +| `latest` | December 6th | `sha256:57baf1ef91c25b09912373ff4029539aea6c3c4167a50831ec7a29ffb7914687` | diff --git a/content/chainguard/chainguard-images/reference/proxysql/provenance_info.md b/content/chainguard/chainguard-images/reference/proxysql/provenance_info.md index df01ff5bc6..28917de5fa 100644 --- a/content/chainguard/chainguard-images/reference/proxysql/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/proxysql/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for proxysql Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **proxysql** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/proxysql | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/proxysql | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the proxysq | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the proxysql image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the proxysql image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/proxysql + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/proxysql ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/proxysql/tags_history.md b/content/chainguard/chainguard-images/reference/proxysql/tags_history.md index 3cb9593638..2fc453b8e4 100644 --- a/content/chainguard/chainguard-images/reference/proxysql/tags_history.md +++ b/content/chainguard/chainguard-images/reference/proxysql/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the proxysql Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:6173b7a90554e9f5a8b16c365af4c441bcee6f09d0925e83cbb4f2041ed68c5b` | -| `latest-dev` | November 29th | `sha256:2e22f9201e24120bdd10e3e94ca71386e5314f293cb20341a16513a29496ebb5` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:09da9a7bcc1fa1b2f8aefbe3013a8479d3ef40da361dd60b6354a9a47617ec77` | +| `latest` | December 6th | `sha256:f5d63561014ccb0ecd3146a15cd60e1c1480739a5f8be9b2831ed6b57933078f` | diff --git a/content/chainguard/chainguard-images/reference/pulumi/provenance_info.md b/content/chainguard/chainguard-images/reference/pulumi/provenance_info.md index 840833c2fb..81daa3232c 100644 --- a/content/chainguard/chainguard-images/reference/pulumi/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/pulumi/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for pulumi Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **pulumi** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/pulumi | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/pulumi | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the pulumi | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the pulumi image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the pulumi image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/pulumi + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/pulumi ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/pulumi/tags_history.md b/content/chainguard/chainguard-images/reference/pulumi/tags_history.md index 885b6cfba2..3d9d27dc34 100644 --- a/content/chainguard/chainguard-images/reference/pulumi/tags_history.md +++ b/content/chainguard/chainguard-images/reference/pulumi/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the pulumi Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:cde45aa46c07cb866466d8bc2a111c5d84a6830bd308778eca492e905002340d` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 3rd | `sha256:0a05e7bc9c573146435bfc90df77249d0a3f92d5da5593bd002dff2d10d0cc45` | diff --git a/content/chainguard/chainguard-images/reference/python/provenance_info.md b/content/chainguard/chainguard-images/reference/python/provenance_info.md index 0057c9b8c3..9e289d6ae2 100644 --- a/content/chainguard/chainguard-images/reference/python/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/python/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for python Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **python** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/python | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/python | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the python | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the python image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the python image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/python + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/python ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/python/tags_history.md b/content/chainguard/chainguard-images/reference/python/tags_history.md index 306dace613..3583309b2f 100644 --- a/content/chainguard/chainguard-images/reference/python/tags_history.md +++ b/content/chainguard/chainguard-images/reference/python/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the python Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:55ac640848d4f398e8582bf0242248c5512c6def0761bcd11a06565eed912da8` | -| `latest` | November 29th | `sha256:ded184cec247b6d6e4dcd202442cee861691c0943f3df47eb92a3ef9fe98875e` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:c912dec1d872e7775462828d0bf66f741ad05f6db320111dbd8757d571d8bc13` | +| `latest` | December 6th | `sha256:a126caf48a08ecb206d347d7097302508d883c616198e6823fd54d5faae68bda` | diff --git a/content/chainguard/chainguard-images/reference/qdrant/provenance_info.md b/content/chainguard/chainguard-images/reference/qdrant/provenance_info.md index be0cdf6b0d..55b315d8f9 100644 --- a/content/chainguard/chainguard-images/reference/qdrant/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/qdrant/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for qdrant Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **qdrant** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/qdrant | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/qdrant | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the qdrant | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the qdrant image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the qdrant image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/qdrant + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/qdrant ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/qdrant/tags_history.md b/content/chainguard/chainguard-images/reference/qdrant/tags_history.md index df5ff6efa3..caec522e3b 100644 --- a/content/chainguard/chainguard-images/reference/qdrant/tags_history.md +++ b/content/chainguard/chainguard-images/reference/qdrant/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the qdrant Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:216443b7db543ec697a40f85089a3f5fc20c1a0c3dda16b3b81bd133c3915a20` | -| `latest-dev` | November 29th | `sha256:359dbf01df367718e4278372f147c1db31f13181cbcd605f99772984da71c2f5` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:cf8556fd78a6691107ff41a8a63517fa7e18e2b5a1c16d67a66a928bbdabd54a` | +| `latest-dev` | December 6th | `sha256:62fddcdfc9cc96521754f66cdb6d9b52c04169cf6bce70aafcfcc98dbc7928ea` | diff --git a/content/chainguard/chainguard-images/reference/r-base/provenance_info.md b/content/chainguard/chainguard-images/reference/r-base/provenance_info.md index 0a4b6c203e..a96266078e 100644 --- a/content/chainguard/chainguard-images/reference/r-base/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/r-base/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for r-base Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **r-base** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/r-base | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/r-base | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the r-base | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the r-base image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the r-base image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/r-base + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/r-base ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/r-base/tags_history.md b/content/chainguard/chainguard-images/reference/r-base/tags_history.md index f5fd4d120c..a6de1db094 100644 --- a/content/chainguard/chainguard-images/reference/r-base/tags_history.md +++ b/content/chainguard/chainguard-images/reference/r-base/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the r-base Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:bb01b0c58f641f3be1cbf05d85786ea97259d19a46bd264fef6b0faffe781617` | -| `latest` | November 29th | `sha256:bb728775173815ba18aaa8dfc9a7fefafb706c19bcea33ac749885a25f7b96d0` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:698a195c34d0232a3a87ca4a04fe269689a9ada07e98fbdbf85858e24a1478a1` | +| `latest` | December 6th | `sha256:d3dfeb5effc71b444351b2f783d06128351c19f2d1ae4c9ed4cf674914744d09` | diff --git a/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/provenance_info.md index e24dd3b98b..219e467b23 100644 --- a/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for rabbitmq-cluster-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **rabbitmq-cluster-operator** Chainguard Images are signed using Sigstore, a The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/rabbitmq-cluster-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rabbitmq-cluster-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the rabbitm | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rabbitmq-cluster-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rabbitmq-cluster-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/rabbitmq-cluster-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rabbitmq-cluster-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/tags_history.md b/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/tags_history.md index dfa5c0aa11..76e838b446 100644 --- a/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/rabbitmq-cluster-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the rabbitmq-cluster-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:b657974f51a7667433361fcf772a16fae662a0de55dcfbcbd29132ed5227fba3` | -| `latest` | November 29th | `sha256:bd4facd1b84aad299cadb1e01e6fbf44ec7bb865c224b28e15edbb91f6aa31ac` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:eef7a43fb9e736488bf9779c97ac3cc63595ec3b7760c456145695c0f533c3fa` | +| `latest` | December 6th | `sha256:addd073f3b2e55be23cb8b1314bf20f67b3dc90009bce4a1e78eb2b3611f72ec` | diff --git a/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/provenance_info.md index 214e5d6a08..4bded67b05 100644 --- a/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for rabbitmq-messaging-topology-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **rabbitmq-messaging-topology-operator** Chainguard Images are signed using The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/rabbitmq-messaging-topology-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rabbitmq-messaging-topology-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the rabbitm | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rabbitmq-messaging-topology-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rabbitmq-messaging-topology-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/rabbitmq-messaging-topology-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rabbitmq-messaging-topology-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/tags_history.md b/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/tags_history.md index 1c058e9c4a..6cd4832b42 100644 --- a/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/rabbitmq-messaging-topology-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the rabbitmq-messaging-topology-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:10d38326dde2d77992db2db987a7969d092d231314301619815cb9d113fb72e6` | -| `latest-dev` | November 29th | `sha256:6c96c38e9c749f0c29ed96c179d16ceca4d84bea4542995da8fa89adaf08e863` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:0dc4e84f17c2ba1a8620935b6fedb5d317fb298ef0fada2284ad25328e2d6f89` | +| `latest` | December 6th | `sha256:9edc7e60a2b84b3baa1d9e6a0d38dcb8f146d5d1195be30ab5cbbda309098621` | diff --git a/content/chainguard/chainguard-images/reference/rabbitmq/provenance_info.md b/content/chainguard/chainguard-images/reference/rabbitmq/provenance_info.md index 165aa8720a..bd0130d413 100644 --- a/content/chainguard/chainguard-images/reference/rabbitmq/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rabbitmq/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for rabbitmq Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **rabbitmq** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/rabbitmq | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rabbitmq | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the rabbitm | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rabbitmq image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rabbitmq image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/rabbitmq + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rabbitmq ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/rabbitmq/tags_history.md b/content/chainguard/chainguard-images/reference/rabbitmq/tags_history.md index 9676c6b8ee..8ccbc2fe31 100644 --- a/content/chainguard/chainguard-images/reference/rabbitmq/tags_history.md +++ b/content/chainguard/chainguard-images/reference/rabbitmq/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the rabbitmq Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:088aa5edc6a30d0a6c5f1779ca56175a8f030c9d34993cdfcb03129a291e422d` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:869101cdb5eec91a04a5865d05c2158470678c5f105cce9d93164bb7a06b1d3f` | diff --git a/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/provenance_info.md b/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/provenance_info.md index 5d481f0019..07c8bc3ac3 100644 --- a/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for redis-cluster-bitnami Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **redis-cluster-bitnami** Chainguard Images are signed using Sigstore, and y The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/redis-cluster-bitnami | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis-cluster-bitnami | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the redis-c | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-cluster-bitnami image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-cluster-bitnami image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/redis-cluster-bitnami + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis-cluster-bitnami ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/tags_history.md b/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/tags_history.md index 9a3dc5914a..4c8dadb020 100644 --- a/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/tags_history.md +++ b/content/chainguard/chainguard-images/reference/redis-cluster-bitnami/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the redis-cluster-bitnami Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:b74ae9684f127c1f97735afbf45e5481a5be28f44db11918cb328548a371e993` | -| `latest-dev` | November 29th | `sha256:d059f7969569ad7874a13d5128493b094ef2b897815fd72442c6293cad49c93f` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:b64bc6900009bb7b17a136bc377f5b901f771e278a901f3c5b704282e83a769e` | +| `latest-dev` | December 6th | `sha256:390a57100279c0d9c9e06c16cc72d94382e1c86f3f5af119d936752e4623dc48` | diff --git a/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/provenance_info.md b/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/provenance_info.md index d66c439c3a..8af7f7818d 100644 --- a/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for redis-sentinel-bitnami Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **redis-sentinel-bitnami** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/redis-sentinel-bitnami | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis-sentinel-bitnami | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the redis-s | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-sentinel-bitnami image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-sentinel-bitnami image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/redis-sentinel-bitnami + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis-sentinel-bitnami ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/tags_history.md b/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/tags_history.md index 9652120e8c..3c3931e995 100644 --- a/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/tags_history.md +++ b/content/chainguard/chainguard-images/reference/redis-sentinel-bitnami/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the redis-sentinel-bitnami Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:65ffc9540c9b762c7b95c01cf26e48b2f2b70e3abd396559e43b7f43a9214cc7` | -| `latest` | November 29th | `sha256:4a61df86a7d8e19b07937f2e89a849efd9143c536aa3fca0af730c7126694aeb` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:b16df5572898b59f5db479a5da654fd5e003813df12b2087c02d5917ca043357` | +| `latest-dev` | December 6th | `sha256:e47ac0c72e0a7d047bcc88bdae34a68ed0cb918677c7b2e94062f04a79eb7129` | diff --git a/content/chainguard/chainguard-images/reference/redis-sentinel/provenance_info.md b/content/chainguard/chainguard-images/reference/redis-sentinel/provenance_info.md index 2a2467fce2..f45d8f5035 100644 --- a/content/chainguard/chainguard-images/reference/redis-sentinel/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis-sentinel/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for redis-sentinel Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **redis-sentinel** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/redis-sentinel | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis-sentinel | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the redis-s | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-sentinel image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-sentinel image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/redis-sentinel + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis-sentinel ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/redis-sentinel/tags_history.md b/content/chainguard/chainguard-images/reference/redis-sentinel/tags_history.md index f8f4b4da0f..771e248998 100644 --- a/content/chainguard/chainguard-images/reference/redis-sentinel/tags_history.md +++ b/content/chainguard/chainguard-images/reference/redis-sentinel/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the redis-sentinel Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------------------|---------------|---------------------------------------------------------------------------| -| `six-dot-two-compat` | November 29th | `sha256:e700a5561e614559c30f93a66f3ff9d60210741e6b02dc90350aa8c623ead917` | +| Tag (s) | Last Changed | Digest | +|-----------------------|--------------|---------------------------------------------------------------------------| +| `six-dot-two-compat` | December 6th | `sha256:8f579034577988a653453cb06bcd2223c2097f2fa575389f41546448e482a887` | diff --git a/content/chainguard/chainguard-images/reference/redis-server-bitnami/provenance_info.md b/content/chainguard/chainguard-images/reference/redis-server-bitnami/provenance_info.md index f56b78edb1..ca76c6c60b 100644 --- a/content/chainguard/chainguard-images/reference/redis-server-bitnami/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis-server-bitnami/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for redis-server-bitnami Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **redis-server-bitnami** Chainguard Images are signed using Sigstore, and yo The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/redis-server-bitnami | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis-server-bitnami | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the redis-s | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-server-bitnami image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis-server-bitnami image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/redis-server-bitnami + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis-server-bitnami ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/redis-server-bitnami/tags_history.md b/content/chainguard/chainguard-images/reference/redis-server-bitnami/tags_history.md index 38f8c7d2a7..7111e4c467 100644 --- a/content/chainguard/chainguard-images/reference/redis-server-bitnami/tags_history.md +++ b/content/chainguard/chainguard-images/reference/redis-server-bitnami/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the redis-server-bitnami Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:9fbb6fa07e1f58509792ed5b4c00a11f33e249ca8026ed6f6cb28bc8dd9acb16` | -| `latest-dev` | November 29th | `sha256:98581fd3785f6105bb69167e54f1abcd1a192c74fbec8067c89fb8705fe28ee0` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:2ef3866ff22ea5587c7c5e91971419c514b3578d65d8460e3286492abc2a9857` | +| `latest` | December 6th | `sha256:437dbc2cec2f69338dbd2d0d46610e05ba955596524ff89ee881a4baa7010bd5` | diff --git a/content/chainguard/chainguard-images/reference/redis/provenance_info.md b/content/chainguard/chainguard-images/reference/redis/provenance_info.md index fc2be42b8b..0f8d946de8 100644 --- a/content/chainguard/chainguard-images/reference/redis/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/redis/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for redis Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **redis** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/redis | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the redis i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the redis image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/redis + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/redis ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/redis/tags_history.md b/content/chainguard/chainguard-images/reference/redis/tags_history.md index f13604b818..0f662e2dea 100644 --- a/content/chainguard/chainguard-images/reference/redis/tags_history.md +++ b/content/chainguard/chainguard-images/reference/redis/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the redis Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:559e3fc2c1a403d3434cb45f8001368cc08ea767c94ec936f5fd50655ea9e07f` | -| `latest` | November 29th | `sha256:5e036c79c5c64508501a43a9f0915d0dacb4b7018655f89359e3d426bcf64613` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:072fdee367b1dfe2d90e9aa07bcf84bc67e0a2473488b5e3973ad2f2ba825499` | +| `latest-dev` | December 6th | `sha256:2d94600a1d9753835c098e66b2692fb603a0a8c783d6a5aeda659fe8f75b018b` | diff --git a/content/chainguard/chainguard-images/reference/rekor-backfill-redis/provenance_info.md b/content/chainguard/chainguard-images/reference/rekor-backfill-redis/provenance_info.md index f9a0b9e948..be699a7793 100644 --- a/content/chainguard/chainguard-images/reference/rekor-backfill-redis/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rekor-backfill-redis/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for rekor-backfill-redis Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **rekor-backfill-redis** Chainguard Images are signed using Sigstore, and yo The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/rekor-backfill-redis | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rekor-backfill-redis | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the rekor-b | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rekor-backfill-redis image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rekor-backfill-redis image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/rekor-backfill-redis + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rekor-backfill-redis ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/rekor-backfill-redis/tags_history.md b/content/chainguard/chainguard-images/reference/rekor-backfill-redis/tags_history.md index a2042c257c..a2179d2e5f 100644 --- a/content/chainguard/chainguard-images/reference/rekor-backfill-redis/tags_history.md +++ b/content/chainguard/chainguard-images/reference/rekor-backfill-redis/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the rekor-backfill-redis Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:e6ff58468a300e32484b7b308f14d5cb3be7c9a2ef577b3d4cbad2b4552877a3` | -| `latest-dev` | November 29th | `sha256:c6a16ae9c9e7aafd459d814d7fe4cc6485115610d6428288710ff8ee3e87c28a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:a4ed5f3ae3b5ac7d550e4b8f3fb382209b7b7917fdf5f77e7a5d6d7430e2518d` | +| `latest-dev` | December 6th | `sha256:1ee4c7ddb62bee4a0e2c5862e7918b2e014fbd5d44e3e2a4b4f03b5136448a2a` | diff --git a/content/chainguard/chainguard-images/reference/rekor-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/rekor-cli/provenance_info.md index 3c9fa7a148..fe821b92ae 100644 --- a/content/chainguard/chainguard-images/reference/rekor-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rekor-cli/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for rekor-cli Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **rekor-cli** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/rekor-cli | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rekor-cli | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the rekor-c | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rekor-cli image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rekor-cli image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/rekor-cli + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rekor-cli ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/rekor-cli/tags_history.md b/content/chainguard/chainguard-images/reference/rekor-cli/tags_history.md index 91dd0954e0..9e8f4d2357 100644 --- a/content/chainguard/chainguard-images/reference/rekor-cli/tags_history.md +++ b/content/chainguard/chainguard-images/reference/rekor-cli/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the rekor-cli Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:42ad3a630269df8471ace05a679f02774f104f25087cb763e7e774e80aabc5af` | -| `latest-dev` | November 29th | `sha256:ba13e72db069f47f655f9ed915a58e71bc56afdc4587a8fa3973d3a180b0ae20` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:9f5f45fd821df763a3b05c183b15225bd91acf5cfdf2c8af14c9fd8c9f0c3d65` | +| `latest-dev` | December 6th | `sha256:16a2ee2f15cfd5ffff7b2e7d41a09672427f6847bc79cf4ac3e4bdae19a02863` | diff --git a/content/chainguard/chainguard-images/reference/rekor-server/provenance_info.md b/content/chainguard/chainguard-images/reference/rekor-server/provenance_info.md index 6a305ce187..b14fe8a8db 100644 --- a/content/chainguard/chainguard-images/reference/rekor-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rekor-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for rekor-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **rekor-server** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/rekor-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rekor-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the rekor-s | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rekor-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rekor-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/rekor-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rekor-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/rekor-server/tags_history.md b/content/chainguard/chainguard-images/reference/rekor-server/tags_history.md index 942a8eb3da..20d70dd09b 100644 --- a/content/chainguard/chainguard-images/reference/rekor-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/rekor-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the rekor-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:93554e3eb3b3268264a0db136a61e272aeb1a179e056083a4ac82657c22d7a35` | -| `latest-dev` | November 29th | `sha256:0a69c722973fc27a45368d968e28180bb1c62766f97629cbe96a68e6822dcabe` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:aeca0a37b68470e273270ecf61707952fa976ead4ddd51cd1adb6861fb83e77d` | +| `latest-dev` | December 6th | `sha256:d3338551bbdf65ddf027f76a05749eadb4fb3ea44105ab2828a0e59f60571c54` | diff --git a/content/chainguard/chainguard-images/reference/rqlite/provenance_info.md b/content/chainguard/chainguard-images/reference/rqlite/provenance_info.md index 6db05d2657..2b90ce63db 100644 --- a/content/chainguard/chainguard-images/reference/rqlite/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rqlite/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for rqlite Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **rqlite** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/rqlite | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rqlite | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the rqlite | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rqlite image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rqlite image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/rqlite + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rqlite ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/rqlite/tags_history.md b/content/chainguard/chainguard-images/reference/rqlite/tags_history.md index 8276068eb3..57ec9be865 100644 --- a/content/chainguard/chainguard-images/reference/rqlite/tags_history.md +++ b/content/chainguard/chainguard-images/reference/rqlite/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the rqlite Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:0ea9a04876303fbbe312532799862812c4cf07b0e98b645737b6e19b6760cebf` | -| `latest` | November 29th | `sha256:c7fba6f24ba0b5d4a4b081e089ff5c8d69f0f2dd3a8ec5881296966636520fb5` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:9306c6452d7ef7a69ae6af85281eb15a845112998ac1302aa353d3746debfc85` | +| `latest-dev` | December 6th | `sha256:03f8332e835d68caadb53b8a6aa2f354d2d36e71135bcc0c11ef7c909580d01b` | diff --git a/content/chainguard/chainguard-images/reference/ruby/provenance_info.md b/content/chainguard/chainguard-images/reference/ruby/provenance_info.md index 4d059c2c53..ce2842c474 100644 --- a/content/chainguard/chainguard-images/reference/ruby/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/ruby/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for ruby Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **ruby** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/ruby | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ruby | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the ruby im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ruby image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the ruby image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/ruby + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/ruby ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/ruby/tags_history.md b/content/chainguard/chainguard-images/reference/ruby/tags_history.md index 0d4441721f..57f48f6865 100644 --- a/content/chainguard/chainguard-images/reference/ruby/tags_history.md +++ b/content/chainguard/chainguard-images/reference/ruby/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the ruby Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:ba8f837a3058ada68e5a8c20cdeb15a2aaed82e0b6127d194ca4e236f8c148dd` | -| `latest` | November 29th | `sha256:b27e8fba6067b02514889998c829472eca888a1ee22124055ee9ed474e72a76c` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:9a68938464ac482909e9d905f43aefdc61be6ecbe9f9dd585e86edb622892cbd` | +| `latest` | December 6th | `sha256:51a0fea1884e97fef8ce93285b3f696836046c145adf7e842444da2cfbb6ae1d` | diff --git a/content/chainguard/chainguard-images/reference/rust/provenance_info.md b/content/chainguard/chainguard-images/reference/rust/provenance_info.md index 2014c6bb85..973877e7c7 100644 --- a/content/chainguard/chainguard-images/reference/rust/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/rust/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for rust Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **rust** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/rust | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rust | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the rust im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rust image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the rust image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/rust + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/rust ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/rust/tags_history.md b/content/chainguard/chainguard-images/reference/rust/tags_history.md index a8143700cf..2a1b19e2e4 100644 --- a/content/chainguard/chainguard-images/reference/rust/tags_history.md +++ b/content/chainguard/chainguard-images/reference/rust/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the rust Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:69c694713724c7bee593373ff5169645d799de05a7cfe7ba727cc394f5f6049c` | -| `latest` | November 29th | `sha256:846d4ecf7556c1b64b218a4b3b3b8b03ac25fa9387b23663fa0126e47dfef691` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:5f7cdf557d45b24ca85caaa67d634824d8cf939cee7755bf71120ef65102eac1` | +| `latest-dev` | December 6th | `sha256:a63c35ac728faacfd788f5d2c99c4cd15f95ba93752781ee9c2e80c708bcec10` | diff --git a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/provenance_info.md b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/provenance_info.md index bcd52a9db5..f4d08c6582 100644 --- a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for secrets-store-csi-driver-provider-gcp Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **secrets-store-csi-driver-provider-gcp** Chainguard Images are signed using The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the secrets | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the secrets-store-csi-driver-provider-gcp image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the secrets-store-csi-driver-provider-gcp image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/secrets-store-csi-driver-provider-gcp ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/tags_history.md b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/tags_history.md index 4aa6ba06d2..2318d63903 100644 --- a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/tags_history.md +++ b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver-provider-gcp/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the secrets-store-csi-driver-provider-gcp Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:98066293938e7acc95b6589f6951bf86a9f1b3deb142d1c4afadd3cf222df877` | -| `latest-dev` | November 29th | `sha256:e779f50fac566273860d2685f17fbbdb20e3b46a5198a54d0366e94cb7d6b973` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:6564e07292d38440f4ee5870e28749c9a0ff928643bf8a31c0117bc1278b63e6` | +| `latest` | December 6th | `sha256:101f95db4e52432d4456b461c319e39d229167a2e68c9ad539bda433565d0d2a` | diff --git a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/provenance_info.md b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/provenance_info.md index 7ae97faf97..93183545e8 100644 --- a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for secrets-store-csi-driver Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **secrets-store-csi-driver** Chainguard Images are signed using Sigstore, an The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/secrets-store-csi-driver | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/secrets-store-csi-driver | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the secrets | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the secrets-store-csi-driver image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the secrets-store-csi-driver image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/secrets-store-csi-driver + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/secrets-store-csi-driver ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/tags_history.md b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/tags_history.md index 5ccf2d00e4..f9db3d04cb 100644 --- a/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/tags_history.md +++ b/content/chainguard/chainguard-images/reference/secrets-store-csi-driver/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the secrets-store-csi-driver Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:5d99765245125f75843b6c2f6317093fe42e193204062a9b5146371efec9d7f0` | -| `latest-dev` | November 29th | `sha256:ae55ced9b386b47287ea4f4845695b3cb309041bda912089bfb5b64588a41820` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:c0b5a1cd5ca821af500b588c91046d09155aaa8e3281e60e2f5f48f7bca8b910` | +| `latest` | December 6th | `sha256:46d01b6bce63333fe5c53603f14949609c350f54267f1ab7091238784c489568` | diff --git a/content/chainguard/chainguard-images/reference/semgrep/provenance_info.md b/content/chainguard/chainguard-images/reference/semgrep/provenance_info.md index ff5b32fdde..7b8d4eef4a 100644 --- a/content/chainguard/chainguard-images/reference/semgrep/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/semgrep/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for semgrep Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **semgrep** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/semgrep | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/semgrep | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the semgrep | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the semgrep image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the semgrep image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/semgrep + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/semgrep ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/semgrep/tags_history.md b/content/chainguard/chainguard-images/reference/semgrep/tags_history.md index c5d27870e1..9920157363 100644 --- a/content/chainguard/chainguard-images/reference/semgrep/tags_history.md +++ b/content/chainguard/chainguard-images/reference/semgrep/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the semgrep Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:844239c08f5516f00bd731ba18b81419887fff47a0ebe17b108d30afd1ffc2a8` | -| `latest-dev` | November 29th | `sha256:c45d2abe80832df8983f0c32f7a394ca398857b8cff21f8a975feb800c16bf3f` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:4f8699e03ba9215de6e4fcbf59d7bc3d09ff74993ab1c44f03919e699b47b447` | +| `latest-dev` | December 6th | `sha256:793b116973936d6f33f3a0a64e377cf86d1cb2b0be2b973b6ae1edda447612ce` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-policy-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-policy-controller/provenance_info.md index 84f7c58d5e..e5271da74a 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-policy-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-policy-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-policy-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-policy-controller** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-policy-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-policy-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-policy-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-policy-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-policy-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-policy-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-policy-controller/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-policy-controller/tags_history.md index 5c232977d9..5cf9de3458 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-policy-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-policy-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-policy-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:233246f4cf3ad0d4d5a35d4d37198321a62cdef8539d2dcceb4b2de664d89e5c` | -| `latest` | November 29th | `sha256:ab606630348a0fbf0c335f2f875d9e9f9165841ee03a9fc664d8f8d03d825a65` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:6f3de23e9f5e0688e6470a2bcf407bdb46aeecc3ee387096d08dcac673e25831` | +| `latest-dev` | December 6th | `sha256:eae86767214125924a96af839171624d81777d09e3f11dc2152a26aa455bd9e3` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/provenance_info.md index c9451076eb..de7676a1c9 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-cloudsqlproxy Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-cloudsqlproxy** Chainguard Images are signed using Si The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-cloudsqlproxy | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-cloudsqlproxy | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-cloudsqlproxy image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-cloudsqlproxy image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-cloudsqlproxy + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-cloudsqlproxy ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/tags_history.md index cf3c1a249e..cd7f022c5f 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-cloudsqlproxy/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-cloudsqlproxy Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:b1ac990d49170bf4624882290afb3ef85016cf9de9208ba271962650a5617799` | -| `latest-dev` | November 29th | `sha256:6e82411d722f6e1d6bbf50acc0bc7d6fcf4d47cea9b0c9c6484a9999f45e18f9` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:d9c68690b4cd73627f4add15c6d59580f373f6c0b78bc6e51b6f9a5aecbb0cd9` | +| `latest-dev` | December 6th | `sha256:ef1e1929955e38d7ab0a32a2afd0e9d8d8d9f1d87098b01732bac90ac99c104e` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/provenance_info.md index 7ab8f6d2d0..ced0bbdef5 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-ctlog-createctconfig Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-ctlog-createctconfig** Chainguard Images are signed u The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-ctlog-createctconfig | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-ctlog-createctconfig | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-ctlog-createctconfig image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-ctlog-createctconfig image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-ctlog-createctconfig + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-ctlog-createctconfig ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/tags_history.md index ec6cc06094..41e4e2509f 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-createctconfig/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-ctlog-createctconfig Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:5047bebe4697ffaa42e960e3be662bddadfc99a7510920bc89ed934b90ccca76` | -| `latest-dev` | November 29th | `sha256:4c7fe76a032bae85218944db8289331d4d82f53f8fa83f1b8f990049908a6ac7` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:fde94b84cc383feffb750ff3b6424e276a8f8c4f7da421be024059318248d0f1` | +| `latest-dev` | December 6th | `sha256:3155f8c659fca646f74dea703739ff7b7f3caaa78a9f9db4832a7c7876508c95` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/provenance_info.md index 8e45fdd788..51b5f9a452 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-ctlog-managectroots Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-ctlog-managectroots** Chainguard Images are signed us The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-ctlog-managectroots | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-ctlog-managectroots | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-ctlog-managectroots image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-ctlog-managectroots image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-ctlog-managectroots + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-ctlog-managectroots ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/tags_history.md index 395377f2e1..abb85ac669 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-managectroots/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-ctlog-managectroots Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3bc7fa5b891bc6c2ec1115229a7da1c59f6f27c4650175bbdf515a6cf1cb4cf2` | -| `latest-dev` | November 29th | `sha256:2fda3fb952041427b6b2e0e98eb2244b95bc3bbaf4d2021a085bfd18ed90fea4` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:8ebc61b9ac181cab6e86e5829e49007fdb79d2b5da6d5b0f13dfff6acb5a77db` | +| `latest-dev` | December 6th | `sha256:6fe52a2eb18a79b890c79695818db25758aee85f44c0e1aa716a5521dcc32e54` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md index 3a51cd097a..971080d1b9 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-ctlog-verifyfulcio Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-ctlog-verifyfulcio** Chainguard Images are signed usi The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-ctlog-verifyfulcio | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-ctlog-verifyfulcio | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-ctlog-verifyfulcio image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-ctlog-verifyfulcio image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-ctlog-verifyfulcio + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-ctlog-verifyfulcio ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/tags_history.md index ff5106187c..78bbcb2f8b 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-ctlog-verifyfulcio/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-ctlog-verifyfulcio Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:376b25b0ea6521d765b005466fd0f4d578c22b9d7378acab0603c3201be92714` | -| `latest` | November 29th | `sha256:c8ccc2fea89c73769acd6f9fc5830f786d96efd90e1983e068501aff495768d1` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:0acf33f9926da3e87a373036a1d7853d9351cc22e5d0419f463b7156652d78f2` | +| `latest-dev` | December 6th | `sha256:17942ae199542ac7f60dd8875089c3cfbdc10228f85f389a4237533c3b5cb743` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/provenance_info.md index 71c01bf5f5..253a83235d 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-fulcio-createcerts Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-fulcio-createcerts** Chainguard Images are signed usi The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-fulcio-createcerts | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-fulcio-createcerts | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-fulcio-createcerts image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-fulcio-createcerts image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-fulcio-createcerts + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-fulcio-createcerts ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/tags_history.md index fb30eecf40..c9aaa1d2b5 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-fulcio-createcerts/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-fulcio-createcerts Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:f9c38ad4649268e47635672d39c9a86152468439501e8619854489135bf7fc43` | -| `latest` | November 29th | `sha256:d651d60a9ff87c964361bd3acf627ee2446c34131f07c6252bf70ce5ec47fdf3` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:250de93aa597d118aa60b009841aa3faa8cab82a96952893172eaee41ba1fafa` | +| `latest-dev` | December 6th | `sha256:6a3316ee41edd5e48f5bd9ebe21ad2fbe0a126a0435273fa38e1a08ba5d811bc` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/provenance_info.md index ab0825291e..d554a11eda 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-getoidctoken Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-getoidctoken** Chainguard Images are signed using Sig The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-getoidctoken | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-getoidctoken | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-getoidctoken image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-getoidctoken image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-getoidctoken + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-getoidctoken ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/tags_history.md index 23ffc4df5f..376a53189a 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-getoidctoken/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-getoidctoken Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ed6ae3d04af7bc53347b7b32ab0dbe86d19fc70d60d79868605829a68746db09` | -| `latest-dev` | November 29th | `sha256:a6fa15ed725064663dda683b7d01e3611e8c6a800ee5b3309d51ec49c521b7bc` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:4db657de90b38844dc335e6d1393690cea00dd80a711545a9df406efce92d267` | +| `latest` | December 6th | `sha256:5118873151eaa027969ca6ee5b6efb3a35e73513ef7f164e2b36eb15c94d37c6` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/provenance_info.md index a5b446a8fd..539d696c21 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-rekor-createsecret Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-rekor-createsecret** Chainguard Images are signed usi The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-rekor-createsecret | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-rekor-createsecret | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-rekor-createsecret image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-rekor-createsecret image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-rekor-createsecret + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-rekor-createsecret ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/tags_history.md index ef4e6fa238..bf591349f3 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-rekor-createsecret/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-rekor-createsecret Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:dd60104f6a37fd815c1791b6f52ffc2d8ccaee19f4ef7e3ab8eeeaf48844ffaa` | -| `latest` | November 29th | `sha256:c9faaf8ca5c2740cca5c9cb434495b3b5130604c941d1050145538ec5b017e8f` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:570aa0e1ebebc7a19d30d1a1a7dafdcd906906363b67677e50694dc88656bfd5` | +| `latest` | December 6th | `sha256:b09c560b10a13ebc6f33ef051f57cd909422abe5eab482dafd78b42c8e6f5db7` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/provenance_info.md index 681b1ce5ce..053b129d5e 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-trillian-createdb Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-trillian-createdb** Chainguard Images are signed usin The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-trillian-createdb | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-trillian-createdb | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-trillian-createdb image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-trillian-createdb image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-trillian-createdb + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-trillian-createdb ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/tags_history.md index b5d9b0fe33..39a5104fab 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createdb/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-trillian-createdb Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:9edcaae285dbc933c763eed8272fa7d5c77f0fe309ba77758fe689e1bc124283` | -| `latest-dev` | November 29th | `sha256:738db1528cafd3b1d75f0fc0d5c1bb818f0c4ebc4d42188faa5ffb5a9585e9ac` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:72f1aa795c1a413900675d87759e78e093f1f57bff44a66315a08b45a3ca4cc7` | +| `latest` | December 6th | `sha256:db2e842df699fdfcd668b6b6b2aa1826aea84c667fca9691a9af7993c037a058` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/provenance_info.md index 53f2bc2f65..9f47d7e060 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-trillian-createtree Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-trillian-createtree** Chainguard Images are signed us The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-trillian-createtree | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-trillian-createtree | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-trillian-createtree image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-trillian-createtree image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-trillian-createtree + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-trillian-createtree ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/tags_history.md index 27b585645b..86e0d3fc07 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-createtree/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-trillian-createtree Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:2c48d2ff87f3ec1ef692dbf0b2ca87cc1fa5fd48457bad9700d19bccb4b70b5d` | -| `latest` | November 29th | `sha256:7fb979e3736d317a10315088047df3211a44184133669560c97283ab1e98edec` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:8519ba0728b84f866fda96dcedb0455042faa44de3e6dd1baf6ca2b6eda6da72` | +| `latest-dev` | December 6th | `sha256:04c113cd90baa62e2ad142f3baf4a4030e96660e26b75eda7425a29a2a887c8d` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/provenance_info.md index 02c9892573..9d0a315583 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-trillian-updatetree Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-trillian-updatetree** Chainguard Images are signed us The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-trillian-updatetree | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-trillian-updatetree | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-trillian-updatetree image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-trillian-updatetree image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-trillian-updatetree + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-trillian-updatetree ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/tags_history.md index 5e97dcb0fd..9e0e91d5d1 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-trillian-updatetree/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-trillian-updatetree Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:a0910bb78de199808e03d721a8792d73e38bcc9d3df254898792f282b2211946` | -| `latest` | November 29th | `sha256:906c69b284cccd1067a872d6a323741f89b074367f503af483e3818a6e59ee0d` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:6b4038081691b5a9e518d505bd69df741d71a6de9347b0516c48c55bcdb59bac` | +| `latest-dev` | December 6th | `sha256:e64892a27e6cfffffe863be6acc3bdb66d63890c6813cd77ec7f1d885713d1d7` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/provenance_info.md index 745896f98b..2a83dc6e69 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-tsa-createcertchain Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-tsa-createcertchain** Chainguard Images are signed us The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tsa-createcertchain image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tsa-createcertchain image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/tags_history.md index bcd6671a83..be0920d2d6 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tsa-createcertchain/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-tsa-createcertchain Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:242892f28dcb443352bdc5e2f6e4e2169f6378af587def135be7988cd161ca27` | -| `latest` | November 29th | `sha256:3d225fe0fadc03c77b0c1af92d240397868c5b32c5791ab10aaddff8d036c35e` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:d393419aa1d82cc3eb3de4eb6c0acd46ef5b6b076736274686c5e46bdb8606e0` | +| `latest-dev` | December 6th | `sha256:4105f431e334e0623a20014074af25af35e77552713cb5d65533c16e00d9e4a2` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/provenance_info.md index a1ed347c47..20d9525122 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-tuf-createsecret Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-tuf-createsecret** Chainguard Images are signed using The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-tuf-createsecret | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-tuf-createsecret | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tuf-createsecret image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tuf-createsecret image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-tuf-createsecret + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-tuf-createsecret ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/tags_history.md index 4bdd591c24..05a8370319 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-createsecret/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-tuf-createsecret Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:6ca510def18a8eab6d43727ba52ba2a4ad13ee2502a3fc79ca8c2864c8453b9b` | -| `latest-dev` | November 29th | `sha256:ca65ded263fde645af0eac7c152a2c6e9b379558b7f4f653b11feadb34d03b56` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:0791699cd0e41040fb118b5cfc2e234794dcdf9060e38b03f0c0ec8876df23f8` | +| `latest-dev` | December 6th | `sha256:270276023e6d88c450e09b4e39890674a53ff535ab00080b8a81f89677ddc0dd` | diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/provenance_info.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/provenance_info.md index c112793c89..e57ae9f86c 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for sigstore-scaffolding-tuf-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **sigstore-scaffolding-tuf-server** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sigstore-scaffolding-tuf-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-tuf-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the sigstor | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tuf-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tuf-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/sigstore-scaffolding-tuf-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/sigstore-scaffolding-tuf-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/tags_history.md b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/tags_history.md index f74ef820dc..25cb0fcfdf 100644 --- a/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/sigstore-scaffolding-tuf-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the sigstore-scaffolding-tuf-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:d11d03956c2782d3b7bc0dccd5ef35fb71d7ccb5e0c07843c6680b43d2fd3448` | -| `latest` | November 29th | `sha256:be7917202f7b6cb798bebbe1d82b886c139d2adcd3cfd52e9e82a0e728da84aa` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:239195c95135bab936b8074a078263ed5518a1b2728daf1ce02f75b9ee5eb9f8` | +| `latest-dev` | December 6th | `sha256:ada3a3825bc132f45a82d442b205a9b01ab721e4182dbeeb4f245e1f7419a52a` | diff --git a/content/chainguard/chainguard-images/reference/skaffold/provenance_info.md b/content/chainguard/chainguard-images/reference/skaffold/provenance_info.md index 41b44cab4b..310f73ea30 100644 --- a/content/chainguard/chainguard-images/reference/skaffold/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/skaffold/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for skaffold Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **skaffold** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/skaffold | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/skaffold | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the skaffol | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the skaffold image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the skaffold image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/skaffold + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/skaffold ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/skaffold/tags_history.md b/content/chainguard/chainguard-images/reference/skaffold/tags_history.md index 4439a33e44..b9bf6ece73 100644 --- a/content/chainguard/chainguard-images/reference/skaffold/tags_history.md +++ b/content/chainguard/chainguard-images/reference/skaffold/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the skaffold Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:34208c7d6d0857e81eef06ed32d5e2008db42fb85d1913cf7f526e8a95bac1b4` | -| `latest` | November 29th | `sha256:77a6275010a39c2486f83a19ee9af329d6616d7b3953b796f00d2032e40707ff` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:65004b093f0092b1f516f5c410737043bf877006ad3ab7a5398f70d54c7f754e` | +| `latest` | December 6th | `sha256:93733de1160afc5a0cb2311c051a1ac064641d1fc678af33d20c8e5f04e58b7b` | diff --git a/content/chainguard/chainguard-images/reference/slim-toolkit-debug/provenance_info.md b/content/chainguard/chainguard-images/reference/slim-toolkit-debug/provenance_info.md index a9c80ba02b..4dc9c71df5 100644 --- a/content/chainguard/chainguard-images/reference/slim-toolkit-debug/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/slim-toolkit-debug/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for slim-toolkit-debug Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **slim-toolkit-debug** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/slim-toolkit-debug | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/slim-toolkit-debug | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the slim-to | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the slim-toolkit-debug image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the slim-toolkit-debug image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/slim-toolkit-debug + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/slim-toolkit-debug ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/slim-toolkit-debug/tags_history.md b/content/chainguard/chainguard-images/reference/slim-toolkit-debug/tags_history.md index 3f9f7a55f8..e5019d3196 100644 --- a/content/chainguard/chainguard-images/reference/slim-toolkit-debug/tags_history.md +++ b/content/chainguard/chainguard-images/reference/slim-toolkit-debug/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the slim-toolkit-debug Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:e84e3b6dd3aec8acb7e30543f1c5a2642d5eaa13ade857422faebc98e6c930fa` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f53658bca420de30a7983af4fceb633ad1b5ea3b926a1ed5af053a5143674c88` | diff --git a/content/chainguard/chainguard-images/reference/smarter-device-manager/provenance_info.md b/content/chainguard/chainguard-images/reference/smarter-device-manager/provenance_info.md index e2160160bf..e09ea724e0 100644 --- a/content/chainguard/chainguard-images/reference/smarter-device-manager/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/smarter-device-manager/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for smarter-device-manager Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **smarter-device-manager** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/smarter-device-manager | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/smarter-device-manager | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the smarter | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the smarter-device-manager image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the smarter-device-manager image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/smarter-device-manager + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/smarter-device-manager ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/smarter-device-manager/tags_history.md b/content/chainguard/chainguard-images/reference/smarter-device-manager/tags_history.md index ed1c2c4e21..48e9c74ccd 100644 --- a/content/chainguard/chainguard-images/reference/smarter-device-manager/tags_history.md +++ b/content/chainguard/chainguard-images/reference/smarter-device-manager/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the smarter-device-manager Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:fbbc5107148d772cc93ee2d8dea3bda3acd6f6b9679dd29e137612babe60f557` | -| `latest` | October 30th | `sha256:c5e085be672060f5ad2d9f14facad29f6862c5c4494a441c5d05c4d9fafc8478` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:2792f1510bd7838dac45420df11ad31af9a110d330009483d122ff424d743ae5` | +| `latest` | December 6th | `sha256:e4fd96f3714aadf0f7c2cda4c39f7663d6a1d51b6c2b01e60eb62774c3c5d7e8` | diff --git a/content/chainguard/chainguard-images/reference/solr/provenance_info.md b/content/chainguard/chainguard-images/reference/solr/provenance_info.md index 2e1ff4de18..20ad073e07 100644 --- a/content/chainguard/chainguard-images/reference/solr/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/solr/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for solr Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **solr** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/solr | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/solr | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the solr im | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the solr image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the solr image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/solr + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/solr ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/solr/tags_history.md b/content/chainguard/chainguard-images/reference/solr/tags_history.md index 05ec7cfaa8..23bbeadf41 100644 --- a/content/chainguard/chainguard-images/reference/solr/tags_history.md +++ b/content/chainguard/chainguard-images/reference/solr/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the solr Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:ace3303693c4c779348ec7adb3df146da8f5afb5ce8e6da1441307d131cf0111` | -| `latest` | November 29th | `sha256:8fef6a74926b305a9de6a2be993cd2406355b83c312010be72db2ad049427333` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:7a5fca067f74dd56ee903034ec1dee5d90d7826721685388afef234fabbb4608` | +| `latest-dev` | December 6th | `sha256:6da2e2d2368e9a2aa7368c8e50159345b55302ac82175293cb73b8b7937edfdb` | diff --git a/content/chainguard/chainguard-images/reference/spark-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/spark-operator/provenance_info.md index 269f6fa5d3..f6559f4757 100644 --- a/content/chainguard/chainguard-images/reference/spark-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/spark-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for spark-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **spark-operator** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/spark-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/spark-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the spark-o | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spark-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spark-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/spark-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/spark-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/spark-operator/tags_history.md b/content/chainguard/chainguard-images/reference/spark-operator/tags_history.md index 888c088b82..f066274485 100644 --- a/content/chainguard/chainguard-images/reference/spark-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/spark-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the spark-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:b0cee3d094328ae380ec6080bf5c22c7fc8fc7e4077bbd3ed74bfd3ee62396ac` | -| `latest` | November 29th | `sha256:eee0155d51ac2ed8a59e7bd0bf020a47a3afe989f9cc2ea4c7c137f916ad0b70` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c21517ceeb0f45cc8bf93fc68edbddd35302311565372cc24ac257a4439e572f` | +| `latest-dev` | December 6th | `sha256:cf6fe33b7ee6a68e245db6a351ddef0b40d1cb3ba3d10718eeb4b6237c0b1542` | diff --git a/content/chainguard/chainguard-images/reference/spire-agent/provenance_info.md b/content/chainguard/chainguard-images/reference/spire-agent/provenance_info.md index 67a8752b81..534e6efba7 100644 --- a/content/chainguard/chainguard-images/reference/spire-agent/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/spire-agent/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for spire-agent Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **spire-agent** Chainguard Images are signed using Sigstore, and you can che The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/spire-agent | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/spire-agent | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the spire-a | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spire-agent image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spire-agent image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/spire-agent + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/spire-agent ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/spire-agent/tags_history.md b/content/chainguard/chainguard-images/reference/spire-agent/tags_history.md index ff4fbdd957..f5d90d3d74 100644 --- a/content/chainguard/chainguard-images/reference/spire-agent/tags_history.md +++ b/content/chainguard/chainguard-images/reference/spire-agent/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the spire-agent Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:cfce34ea10283c7bbd872b3d96890112f400be29019505a7ab246f06fc3b54d5` | -| `latest-dev` | November 29th | `sha256:d9e28ee8830c81d16fb5e87433b15f194b670fe276a23ef1499953f833ea1c1e` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:98fdd5f6c53a6ab449fec158538167cd45835fc280866bb190777374abf57517` | +| `latest-dev` | December 6th | `sha256:06247f30d29a7d9dd47615ebab2a847a273072896c503cac7b7fcd4c0e28aa6a` | diff --git a/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/provenance_info.md b/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/provenance_info.md index 0357b3ddfb..77346ae24f 100644 --- a/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for spire-oidc-discovery-provider Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **spire-oidc-discovery-provider** Chainguard Images are signed using Sigstor The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/spire-oidc-discovery-provider | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/spire-oidc-discovery-provider | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the spire-o | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spire-oidc-discovery-provider image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spire-oidc-discovery-provider image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/spire-oidc-discovery-provider + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/spire-oidc-discovery-provider ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/tags_history.md b/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/tags_history.md index 35c7dd2da5..ed5072993c 100644 --- a/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/tags_history.md +++ b/content/chainguard/chainguard-images/reference/spire-oidc-discovery-provider/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the spire-oidc-discovery-provider Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:063d84595086e404ed6386b5cfad9854e3158a01322de7e2a6b51891799805c1` | -| `latest` | November 29th | `sha256:66b33e635c7f9af0ccec9a9b125664f09d40d1bb40c0b905e5755612b6dd050f` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:9377806d0e20d7809853119bc75790b0752b446792515d3b63e1d16a4a9b494f` | +| `latest-dev` | December 6th | `sha256:f30caf895f8cf75e8e783d4d3503250a9ac3bb27d332fd487deb64415fa0e5d7` | diff --git a/content/chainguard/chainguard-images/reference/spire-server/provenance_info.md b/content/chainguard/chainguard-images/reference/spire-server/provenance_info.md index 98f1abfddd..90986ac16b 100644 --- a/content/chainguard/chainguard-images/reference/spire-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/spire-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for spire-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **spire-server** Chainguard Images are signed using Sigstore, and you can ch The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/spire-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/spire-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the spire-s | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spire-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the spire-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/spire-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/spire-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/spire-server/tags_history.md b/content/chainguard/chainguard-images/reference/spire-server/tags_history.md index 66ecbbd907..430b4a0d78 100644 --- a/content/chainguard/chainguard-images/reference/spire-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/spire-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the spire-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:6b5b4ddd151fdf9b48ad138f8f3022c00d4189ff06e76ff2e884d3a8585906f3` | -| `latest-dev` | November 29th | `sha256:0577dd9916c5601a297be61bde6fa5e8ef827180ef94d7d77a16330e5096a017` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:4c6eb2beddecaf41b30a2a5baa021f9f730a72f253d085617acf2f6ecce895a9` | +| `latest` | December 6th | `sha256:922d2c7e65caea2080a4fdd4e2efbc478abc9b44c1e7cf948cb7987439a9abb6` | diff --git a/content/chainguard/chainguard-images/reference/stakater-reloader/provenance_info.md b/content/chainguard/chainguard-images/reference/stakater-reloader/provenance_info.md index 50efc8afd7..1b5912ba40 100644 --- a/content/chainguard/chainguard-images/reference/stakater-reloader/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/stakater-reloader/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for stakater-reloader Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **stakater-reloader** Chainguard Images are signed using Sigstore, and you c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/stakater-reloader | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/stakater-reloader | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the stakate | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the stakater-reloader image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the stakater-reloader image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/stakater-reloader + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/stakater-reloader ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/stakater-reloader/tags_history.md b/content/chainguard/chainguard-images/reference/stakater-reloader/tags_history.md index 052f4f0d9d..b261de9695 100644 --- a/content/chainguard/chainguard-images/reference/stakater-reloader/tags_history.md +++ b/content/chainguard/chainguard-images/reference/stakater-reloader/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the stakater-reloader Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:67ed57b9e9e476cac7646d069fcdda61c673cdce786e187aed27f80531ed38f5` | -| `latest` | November 29th | `sha256:b22b6d71d716baef8b1ac5597c56fa1b14aebacb0d4f4ff9edf4e329f963e412` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:dd12464ff9dedd48410da0d79cac5e4d2f5577fbe2a272f997cf98bba383b99c` | +| `latest` | December 6th | `sha256:04207143f0ab53d3ec1c98ade45ba60ca21cd43e45c69e670363d5c7b6d2a09b` | diff --git a/content/chainguard/chainguard-images/reference/static/provenance_info.md b/content/chainguard/chainguard-images/reference/static/provenance_info.md index 67c585c535..771a9e5b8a 100644 --- a/content/chainguard/chainguard-images/reference/static/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/static/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for static Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **static** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/static | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/static | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the static | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the static image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the static image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/static + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/static ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/static/tags_history.md b/content/chainguard/chainguard-images/reference/static/tags_history.md index 386ec8bdf8..871ba4296e 100644 --- a/content/chainguard/chainguard-images/reference/static/tags_history.md +++ b/content/chainguard/chainguard-images/reference/static/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the static Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:e0f163b457130b20176fb5ffd3a5528ee69c314ed02a0e9b5a4047806214f832` | -| `latest-glibc` | October 30th | `sha256:4b3878d73af9215d813ef80a08d0fee838a81b9597cc3cbe21364ecacf267b6d` | +| Tag (s) | Last Changed | Digest | +|-----------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:ab062ebcd496faecdec3961b0e8061d81ce1553595432a7e6d212ff2c3bd46d8` | +| `latest-glibc` | December 6th | `sha256:0c49117c00c88154172eefd19b2689b1acd3cce7be19328e8b64db7a0f1cf1ff` | diff --git a/content/chainguard/chainguard-images/reference/stunnel/provenance_info.md b/content/chainguard/chainguard-images/reference/stunnel/provenance_info.md index 66f171ae75..e2bb8cb972 100644 --- a/content/chainguard/chainguard-images/reference/stunnel/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/stunnel/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for stunnel Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **stunnel** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/stunnel | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/stunnel | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the stunnel | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the stunnel image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the stunnel image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/stunnel + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/stunnel ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/stunnel/tags_history.md b/content/chainguard/chainguard-images/reference/stunnel/tags_history.md index 048b503e55..980189102e 100644 --- a/content/chainguard/chainguard-images/reference/stunnel/tags_history.md +++ b/content/chainguard/chainguard-images/reference/stunnel/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the stunnel Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:3c6d845d47eb0cd2164e5ac6b6b9818ccb020a9f536c789e078bed568ac04fff` | -| `latest-dev` | November 29th | `sha256:d74bf30c1e9ece48f1a1c76a4c801663c1680d5c5ca0f58f4d0a354bff4370c7` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:0a141cf4f368169ca400d6c1bf20e80ac43b4ae73371f57347feceb840adca9e` | +| `latest-dev` | December 6th | `sha256:5a554e7235c51d115213a760a9bb1898e500aac9dc74090f8e977ea4b8556769` | diff --git a/content/chainguard/chainguard-images/reference/tekton-chains/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-chains/provenance_info.md index ab6d44f75f..3c978ddbd3 100644 --- a/content/chainguard/chainguard-images/reference/tekton-chains/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-chains/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-chains Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-chains** Chainguard Images are signed using Sigstore, and you can c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-chains | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-chains | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-chains image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-chains image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-chains + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-chains ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-chains/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-chains/tags_history.md index fc3c83bb86..b6498ff1fa 100644 --- a/content/chainguard/chainguard-images/reference/tekton-chains/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-chains/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-chains Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:9c3f7753fa767e9c71aff9ea4748e9c6e3ac6e4d0be60e7edd0303fbaf90ae14` | -| `latest-dev` | November 29th | `sha256:9caf12ec68dfb8a36e3b56530e6492df9b3064aa41bd0f1e275826c0ffa6f329` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:01e0d04f0211c0aa6f059aabe7c9b48755950d2127b73fd8e039dd3e1e6618e3` | +| `latest-dev` | December 6th | `sha256:64ad94c55bec03c107b2c7f39fb02db7e73ffe7d79c9bef990984c7a26ce7be5` | diff --git a/content/chainguard/chainguard-images/reference/tekton-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-cli/provenance_info.md index 83c8db478f..ed74b048da 100644 --- a/content/chainguard/chainguard-images/reference/tekton-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-cli/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-cli Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-cli** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-cli | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-cli | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-cli image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-cli image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-cli + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-cli ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-cli/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-cli/tags_history.md index af7e01bcd0..6130af776a 100644 --- a/content/chainguard/chainguard-images/reference/tekton-cli/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-cli/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-cli Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:70a1a24b605b24fd853c171501d2b17cd7f6d4b6b06dc90cce5e57aa0aa553b8` | -| `latest` | November 29th | `sha256:68b6bb05a2ca05bcc3c81c27817014f8dd296fab03d5d26cd2740b0584110f3d` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:d32b30a07617210b07049c83403e01dccbdcaac809107e5602d232448062e575` | +| `latest` | December 6th | `sha256:ba52e1219c7378f1ab6f19f009b01b1a0d1d6c7ba7bebfc8256fb08d9954f907` | diff --git a/content/chainguard/chainguard-images/reference/tekton-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-controller/provenance_info.md index b1d4799587..da81976346 100644 --- a/content/chainguard/chainguard-images/reference/tekton-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-controller** Chainguard Images are signed using Sigstore, and you c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-controller/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-controller/tags_history.md index ebc974645c..287f8bdba7 100644 --- a/content/chainguard/chainguard-images/reference/tekton-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2c4013ee7e88ac4fb14efcc7a234cddef58ff08c59aec5a7d502f3ba1ea10148` | -| `latest-dev` | November 29th | `sha256:023e020a358d80f5b5ef951fceb6586ca09525be23cd9c493b69c70a0ea5097a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:d5c57b5554682b8bdf17e45d5300dc91fc642a46c7b93c094b600d58436222a3` | +| `latest` | December 6th | `sha256:dd66ca38ac782d9a80d0f39923a10a3f7ad21550c1e93b610fa33c9a54c6a31e` | diff --git a/content/chainguard/chainguard-images/reference/tekton-entrypoint/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-entrypoint/provenance_info.md index ee34d0268f..d07f1440db 100644 --- a/content/chainguard/chainguard-images/reference/tekton-entrypoint/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-entrypoint/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-entrypoint Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-entrypoint** Chainguard Images are signed using Sigstore, and you c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-entrypoint | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-entrypoint | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-entrypoint image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-entrypoint image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-entrypoint + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-entrypoint ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-entrypoint/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-entrypoint/tags_history.md index 29b398ec1a..0be18da004 100644 --- a/content/chainguard/chainguard-images/reference/tekton-entrypoint/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-entrypoint/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-entrypoint Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:39351095ea7f8cd2baa4e02d4277a0dc3c20b27becd27e60b20937a4514ac89c` | -| `latest-dev` | November 29th | `sha256:55017ffecaf524a727b64e1203521419258e2a0dbb3c716190bd2155d3cd6fcf` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:1beb9ec2b2581508dbe68d3dad260943b8b21cf503de910c5f63eaeab1a9ec17` | +| `latest-dev` | December 6th | `sha256:fc25aad91ae61c6339bf3f6e5c218193c3ea9e833be040c82bd7dac68644537a` | diff --git a/content/chainguard/chainguard-images/reference/tekton-events/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-events/provenance_info.md index ba7b07ae7f..021cdc36aa 100644 --- a/content/chainguard/chainguard-images/reference/tekton-events/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-events/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-events Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-events** Chainguard Images are signed using Sigstore, and you can c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-events | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-events | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-events image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-events image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-events + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-events ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-events/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-events/tags_history.md index cb51436a4a..8970dcb675 100644 --- a/content/chainguard/chainguard-images/reference/tekton-events/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-events/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-events Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:1c4155fe541ade2455cd01e3433b1a2c1ddc9d4f8663de1048fb200a5f333811` | -| `latest-dev` | November 29th | `sha256:d01d35118501a3b6528476e6ef084bf39fc513ed3cb0ef98deaecbde39c37d61` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:ccdd9814489736ecc01428449af0d2244c3d6c96e9e995e65eb80a067024344d` | +| `latest` | December 6th | `sha256:922d2828751473d61d35022473b68b468d47d99dceb4ed5e7065f63de9356c38` | diff --git a/content/chainguard/chainguard-images/reference/tekton-nop/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-nop/provenance_info.md index 4caf70d708..69657e07c1 100644 --- a/content/chainguard/chainguard-images/reference/tekton-nop/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-nop/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-nop Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-nop** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-nop | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-nop | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-nop image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-nop image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-nop + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-nop ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-nop/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-nop/tags_history.md index 28844f2087..3a8e71bf06 100644 --- a/content/chainguard/chainguard-images/reference/tekton-nop/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-nop/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-nop Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:5c8e2715be67d208704347d23a50944c953cad025e077ee34a815b5f9944b9af` | -| `latest-dev` | November 29th | `sha256:8b9bd508e92e24d5072e350abebd89a51bfbea94cc5dcb4b65c30cf64f10d7db` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:fd30d1945c323ad7bcc874a5a188d5a79e6e55436601bd61415a555cc5914d0e` | +| `latest-dev` | December 6th | `sha256:527e8b4064d508dc3d14ab9ef9bb70b3afe7250b3f8dc12ca0399435c02550ac` | diff --git a/content/chainguard/chainguard-images/reference/tekton-resolvers/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-resolvers/provenance_info.md index 8a505654e7..120b73665a 100644 --- a/content/chainguard/chainguard-images/reference/tekton-resolvers/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-resolvers/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-resolvers Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-resolvers** Chainguard Images are signed using Sigstore, and you ca The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-resolvers | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-resolvers | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-resolvers image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-resolvers image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-resolvers + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-resolvers ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-resolvers/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-resolvers/tags_history.md index df4b08799a..d49d32d2a2 100644 --- a/content/chainguard/chainguard-images/reference/tekton-resolvers/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-resolvers/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-resolvers Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:6cccac45e8266b9e1368c48d9c540e5c1bbe38899088e3cf6519316f88772363` | -| `latest-dev` | November 29th | `sha256:425fd34113e40bba4b2270c33cab37664c107916bd27532239efbdaf88258754` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:13d2bd0ed02b5479e950bc7c4f8ebee2d01b9484ed4a3c87ccb31053aa01602e` | +| `latest` | December 6th | `sha256:0ca72c961cde1b99f373680fd90a332f9863b46c53c9e12994c5c571e7a1216c` | diff --git a/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/provenance_info.md index e94e3ad6d1..97ec61613a 100644 --- a/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-sidecarlogresults Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-sidecarlogresults** Chainguard Images are signed using Sigstore, an The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-sidecarlogresults | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-sidecarlogresults | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-sidecarlogresults image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-sidecarlogresults image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-sidecarlogresults + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-sidecarlogresults ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/tags_history.md index 6f21942bce..db8c4d6ee4 100644 --- a/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-sidecarlogresults/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-sidecarlogresults Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:882d6ef69fe500808b49aea769ca444f6f91062ce66d4d01d7543979d3631389` | -| `latest` | November 29th | `sha256:49492abcc247e830f90da13cf6f20fec6ba8785e20ce99a1a073776adf28e77c` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:bc9b588056e6ba2e5c457476c88d3cd886b14cef18ef0e173a81ab28b87a5a6c` | +| `latest-dev` | December 6th | `sha256:985a183f770ccb35b037b1891c65752d87767e4e046f452c0b3e9a0cd4bf4f54` | diff --git a/content/chainguard/chainguard-images/reference/tekton-webhook/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-webhook/provenance_info.md index 236e4055d5..6d5314c641 100644 --- a/content/chainguard/chainguard-images/reference/tekton-webhook/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-webhook/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-webhook Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-webhook** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-webhook | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-webhook | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-webhook image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-webhook image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-webhook + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-webhook ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-webhook/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-webhook/tags_history.md index f2f3d8eec2..88622006c1 100644 --- a/content/chainguard/chainguard-images/reference/tekton-webhook/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-webhook/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-webhook Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:7cd44e6094354563bb3b1597976ae5db075f5b8fde228af10b29d8bdc6f2dc74` | -| `latest-dev` | November 29th | `sha256:3a73cad2c6cb4810ba2c8d3a4f01ab854f4dc701012f8fe85deb6368f8dc6cb7` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:388e3f6b7594225879c2b58c692d3b342418c2371cdd0ce481f648617c595ee7` | +| `latest-dev` | December 6th | `sha256:6a94fe312da8505f3fa83f67b9632d75a746b77b5c3d1758679322e5ba94f531` | diff --git a/content/chainguard/chainguard-images/reference/tekton-workingdirinit/provenance_info.md b/content/chainguard/chainguard-images/reference/tekton-workingdirinit/provenance_info.md index 7f038988aa..ced5c9b076 100644 --- a/content/chainguard/chainguard-images/reference/tekton-workingdirinit/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tekton-workingdirinit/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tekton-workingdirinit Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tekton-workingdirinit** Chainguard Images are signed using Sigstore, and y The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tekton-workingdirinit | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-workingdirinit | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tekton- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-workingdirinit image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tekton-workingdirinit image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tekton-workingdirinit + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tekton-workingdirinit ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tekton-workingdirinit/tags_history.md b/content/chainguard/chainguard-images/reference/tekton-workingdirinit/tags_history.md index a1d4374544..bfceefe243 100644 --- a/content/chainguard/chainguard-images/reference/tekton-workingdirinit/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tekton-workingdirinit/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tekton-workingdirinit Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:1ba623c36e9aabf68796f7a309c3e582403529b0a9a2e98da9cb9fd5f53aeae6` | -| `latest` | November 29th | `sha256:734da7e5b0c4fe765d1b5343a5682a0608b8c9eb4d9c986f39709715062ed2cc` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:9b6ab0620411a8ec2fe086557d486f8e29e3fb186b74e75ac02da9ca316322dc` | +| `latest` | December 6th | `sha256:ca7cf50be0c8496a10ee1cead3a0e782d1852a7840ef43f597e7b981d12d03c9` | diff --git a/content/chainguard/chainguard-images/reference/telegraf/provenance_info.md b/content/chainguard/chainguard-images/reference/telegraf/provenance_info.md index cbfe8511ba..4666399180 100644 --- a/content/chainguard/chainguard-images/reference/telegraf/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/telegraf/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for telegraf Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **telegraf** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/telegraf | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/telegraf | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the telegra | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the telegraf image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the telegraf image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/telegraf + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/telegraf ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/telegraf/tags_history.md b/content/chainguard/chainguard-images/reference/telegraf/tags_history.md index 24f0125cb8..8a15d45a2b 100644 --- a/content/chainguard/chainguard-images/reference/telegraf/tags_history.md +++ b/content/chainguard/chainguard-images/reference/telegraf/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the telegraf Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:1506b41ad202228930759aa250ff2b7079d68e5568467a135865bfe5a8a66052` | -| `latest` | November 29th | `sha256:0c27112b1b970aa1d77126f544cf53192400e3dc0cc9ec9d42100a592e6dd867` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:4987b3322cf72aaa366466c47b28d1dbc6393cad263b4361004239ed7c5f6b63` | +| `latest-dev` | December 6th | `sha256:3b267c2097920c4242748ff04062cc0aa72b16742515a16976f9858f9df150cf` | diff --git a/content/chainguard/chainguard-images/reference/temporal-admin-tools/_index.md b/content/chainguard/chainguard-images/reference/temporal-admin-tools/_index.md new file mode 100644 index 0000000000..f162fb97ce --- /dev/null +++ b/content/chainguard/chainguard-images/reference/temporal-admin-tools/_index.md @@ -0,0 +1,43 @@ +--- +title: "Image Overview: temporal-admin-tools" +linktitle: "temporal-admin-tools" +type: "article" +layout: "single" +description: "Overview: temporal-admin-tools Chainguard Image" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +menu: + docs: + parent: "images-reference" +weight: 500 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=true url="/chainguard/chainguard-images/reference/temporal-admin-tools/" >}} +{{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/image_specs/" >}} +{{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/tags_history/" >}} +{{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/provenance_info/" >}} +{{}} + + + + +Golang Server for https://github.com/temporalio/ui + + + +## Get It! +The image is available on `cgr.dev`: + +``` +docker pull cgr.dev/chainguard/temporal-admin-tools:latest +``` + + + + + diff --git a/content/chainguard/chainguard-images/reference/temporal-admin-tools/image_specs.md b/content/chainguard/chainguard-images/reference/temporal-admin-tools/image_specs.md new file mode 100644 index 0000000000..98e457e3fd --- /dev/null +++ b/content/chainguard/chainguard-images/reference/temporal-admin-tools/image_specs.md @@ -0,0 +1,76 @@ +--- +title: "temporal-admin-tools Image Variants" +type: "article" +unlisted: true +description: "Detailed information about the public temporal-admin-tools Chainguard Image variants" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +weight: 550 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/" >}} +{{< tab title="Variants" active=true url="/chainguard/chainguard-images/reference/temporal-admin-tools/image_specs/" >}} +{{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/tags_history/" >}} +{{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/provenance_info/" >}} +{{}} + +This page shows detailed information about all public variants of the Chainguard **temporal-admin-tools** Image. + +## Variants Compared +The **temporal-admin-tools** Chainguard Image currently has 2 public variants: + +- `latest-dev` +- `latest` + +The table has detailed information about each of these variants. + +| | latest-dev | latest | +|--------------|-----------------|-----------------| +| Default User | `nonroot` | `nonroot` | +| Entrypoint | `/usr/bin/tctl` | `/usr/bin/tctl` | +| CMD | not specified | not specified | +| Workdir | not specified | not specified | +| Has apk? | yes | no | +| Has a shell? | yes | yes | + +Check the [tags history page](/chainguard/chainguard-images/reference/temporal-admin-tools/tags_history/) for the full list of available tags. + +## Packages Included +The table shows package distribution across variants. + +| | latest-dev | latest | +|---------------------------|------------|--------| +| `apk-tools` | X | | +| `bash` | X | X | +| `busybox` | X | | +| `ca-certificates-bundle` | X | X | +| `git` | X | | +| `glibc` | X | X | +| `glibc-locale-posix` | X | X | +| `ld-linux` | X | X | +| `libbrotlicommon1` | X | | +| `libbrotlidec1` | X | | +| `libcrypt1` | X | | +| `libcrypto3` | X | | +| `libcurl-openssl4` | X | | +| `libexpat1` | X | | +| `libnghttp2-14` | X | | +| `libpcre2-8-0` | X | | +| `libssl3` | X | | +| `ncurses` | X | X | +| `ncurses-terminfo-base` | X | X | +| `openssl-config` | X | | +| `tctl` | X | X | +| `tdbg` | X | X | +| `temporal` | X | X | +| `temporal-cassandra-tool` | X | X | +| `temporal-server-schema` | X | X | +| `temporal-sql-tool` | X | X | +| `wolfi-baselayout` | X | X | +| `zlib` | X | | + diff --git a/content/chainguard/chainguard-images/reference/temporal-admin-tools/provenance_info.md b/content/chainguard/chainguard-images/reference/temporal-admin-tools/provenance_info.md new file mode 100644 index 0000000000..11948b14d6 --- /dev/null +++ b/content/chainguard/chainguard-images/reference/temporal-admin-tools/provenance_info.md @@ -0,0 +1,88 @@ +--- +title: "Provenance Information for temporal-admin-tools Images" +type: "article" +unlisted: true +description: "Provenance information for temporal-admin-tools Chainguard Image" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +weight: 600 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/" >}} +{{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/image_specs/" >}} +{{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/tags_history/" >}} +{{< tab title="Provenance" active=true url="/chainguard/chainguard-images/reference/temporal-admin-tools/provenance_info/" >}} +{{}} + +All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. + +## Verifying temporal-admin-tools Image Signatures +The **temporal-admin-tools** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. + +The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. + +```shell +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/temporal-admin-tools | jq +``` + +By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. + +## Downloading temporal-admin-tools Image Attestations + +The following [attestations](https://slsa.dev/attestation-model) for the temporal-admin-tools image can be obtained and verified via cosign: + +| Attestation Type | Description | +|----------------|-------------| +| `https://slsa.dev/provenance/v1` | The [SLSA 1.0](https://slsa.dev/spec/v1.0/provenance) provenance attestation contains information about the image build environment. | +| `https://apko.dev/image-configuration` | Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. | +| `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | + + +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the temporal-admin-tools image on `linux/amd64`: + +```shell +cosign download attestation \ + --platform=linux/amd64 \ + --predicate-type=https://spdx.dev/Document \ + cgr.dev/chainguard/temporal-admin-tools | jq -r .payload | base64 -d | jq .predicate +``` +By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the attestation from. + +To download a different attestation, replace the `--predicate-type` parameter value with the desired attestation URL identifier. + +## Verifying temporal-admin-tools Image Attestations +You can use the `cosign verify-attestation` command to check the signatures of the temporal-admin-tools image attestations: + +```shell +cosign verify-attestation \ + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/temporal-admin-tools +``` + +This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: + +``` +Verification for cgr.dev/chainguard/temporal-admin-tools -- +The following checks were performed on each of these signatures: +- The cosign claims were validated +- Existence of the claims in the transparency log was verified offline +- The code-signing certificate was verified using trusted certificate authority certificates +Certificate subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main +Certificate issuer URL: https://token.actions.githubusercontent.com +GitHub Workflow Trigger: schedule +GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696 +GitHub Workflow Name: .github/workflows/release.yaml +GitHub Workflow Trigger chainguard-images/images +GitHub Workflow Ref: refs/heads/main +... +``` diff --git a/content/chainguard/chainguard-images/reference/temporal-admin-tools/tags_history.md b/content/chainguard/chainguard-images/reference/temporal-admin-tools/tags_history.md new file mode 100644 index 0000000000..26d158a2ab --- /dev/null +++ b/content/chainguard/chainguard-images/reference/temporal-admin-tools/tags_history.md @@ -0,0 +1,30 @@ +--- +title: "temporal-admin-tools Image Tags History" +type: "article" +unlisted: true +description: "Image Tags and History for the temporal-admin-tools Chainguard Image" +date: 2023-12-06 18:44:36 +lastmod: 2023-12-06 18:44:36 +draft: false +tags: ["Reference", "Chainguard Images", "Product"] +images: [] +weight: 700 +toc: true +--- + +{{< tabs >}} +{{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/" >}} +{{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/image_specs/" >}} +{{< tab title="Tags History" active=true url="/chainguard/chainguard-images/reference/temporal-admin-tools/tags_history/" >}} +{{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/temporal-admin-tools/provenance_info/" >}} +{{}} + +The following table contains the most recent tags and digests that can be used to pin your Dockerfile to a specific build of this image. Check our guide on [Using the Tag History API](/chainguard/chainguard-images/using-the-tag-history-api/) for information on how to fetch all tags from an image and how to pin your Dockerfile to a specific digest. + +Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). + +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:1944071f75a42f95bd969df466a9b370acb692c6696d7ac9aeb02b800163c248` | +| `latest-dev` | December 6th | `sha256:bffdc0bbb9f4a4619f36fd33845c8935c4f92c3690007c30f9934a591f3a64b1` | + diff --git a/content/chainguard/chainguard-images/reference/temporal-ui-server/provenance_info.md b/content/chainguard/chainguard-images/reference/temporal-ui-server/provenance_info.md index abfa5fd82c..f67e80fac2 100644 --- a/content/chainguard/chainguard-images/reference/temporal-ui-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/temporal-ui-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for temporal-ui-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **temporal-ui-server** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/temporal-ui-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/temporal-ui-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tempora | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the temporal-ui-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the temporal-ui-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/temporal-ui-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/temporal-ui-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/temporal-ui-server/tags_history.md b/content/chainguard/chainguard-images/reference/temporal-ui-server/tags_history.md index 6247f1b9aa..8631aed93d 100644 --- a/content/chainguard/chainguard-images/reference/temporal-ui-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/temporal-ui-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the temporal-ui-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ada1b6170f3d278d40f2cf8a673985fd6580eaa197de11b1c4f002b93f5fc1f7` | -| `latest-dev` | November 29th | `sha256:0bcb9aca7de9cb334a49722ef97ec0f8f47c0d80166a979e3da3c67657dac7fd` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:a60066deaa8afd9c237af902425ad5ee5b5869659aef7cf300acae3ed5863fed` | +| `latest` | December 6th | `sha256:722f0fe2d24391a04b8334603f640ee90ced0a2b253657a06bb1ca300853fbce` | diff --git a/content/chainguard/chainguard-images/reference/terraform/provenance_info.md b/content/chainguard/chainguard-images/reference/terraform/provenance_info.md index df57e7e1b9..6f1b1ff982 100644 --- a/content/chainguard/chainguard-images/reference/terraform/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/terraform/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for terraform Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **terraform** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/terraform | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/terraform | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the terrafo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the terraform image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the terraform image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/terraform + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/terraform ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/terraform/tags_history.md b/content/chainguard/chainguard-images/reference/terraform/tags_history.md index aa09192381..a437f86d4a 100644 --- a/content/chainguard/chainguard-images/reference/terraform/tags_history.md +++ b/content/chainguard/chainguard-images/reference/terraform/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the terraform Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 27th | `sha256:16b3e523c70051ba4f5be60d3934549166e69ba692238e3b24bd6729a6babeb9` | -| `latest` | October 30th | `sha256:84cd1c8e60d1d05abc2887936fc7d405abe875ef1cafe9d6bd4ee589e7cc0802` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:4e866be05cabf9ea23dbb8dcb41f415cf9d54954de549a987a55268f83f38da1` | +| `latest` | December 6th | `sha256:0c03f2e143777c6503fb4fc58d0c3903fef4f27bf9f9779156f499978dd087e5` | diff --git a/content/chainguard/chainguard-images/reference/thanos-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/thanos-operator/provenance_info.md index b38f3d97c5..a91c0ac52a 100644 --- a/content/chainguard/chainguard-images/reference/thanos-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/thanos-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for thanos-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **thanos-operator** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/thanos-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/thanos-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the thanos- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the thanos-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the thanos-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/thanos-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/thanos-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/thanos-operator/tags_history.md b/content/chainguard/chainguard-images/reference/thanos-operator/tags_history.md index d455607313..187678fc19 100644 --- a/content/chainguard/chainguard-images/reference/thanos-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/thanos-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the thanos-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:83e85bc9dde281bb1a002e27bae508d342c876eabfd8ba0995274a2a2edbe76f` | -| `latest` | November 29th | `sha256:c19011699c67bbf23d9e46fc02ca885c4b9f2ea3f6e3fa001a89f88a242923cf` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:a54dc2c8d9b352fb8b5f1552f2cbcbfa10595923ebb76ebfaac69fcfb385dc6a` | +| `latest` | December 6th | `sha256:43873df7b255ab994cdf321008758f5254e2d2b16e18f6af2a4ec5bbaa423bda` | diff --git a/content/chainguard/chainguard-images/reference/thanos/provenance_info.md b/content/chainguard/chainguard-images/reference/thanos/provenance_info.md index c2e9580d38..175f3c1019 100644 --- a/content/chainguard/chainguard-images/reference/thanos/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/thanos/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for thanos Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **thanos** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/thanos | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/thanos | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the thanos | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the thanos image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the thanos image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/thanos + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/thanos ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/thanos/tags_history.md b/content/chainguard/chainguard-images/reference/thanos/tags_history.md index de0e77eb6d..2455b52b08 100644 --- a/content/chainguard/chainguard-images/reference/thanos/tags_history.md +++ b/content/chainguard/chainguard-images/reference/thanos/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the thanos Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:1c5b270b50c0d3ef8ad8e556baa66f72ba35aa25371db1f324ac0d1ab7451c45` | -| `latest` | November 29th | `sha256:1787d8cf554d26d6365a8cd2f30733a81b308a9b240c6907170d62dd851ba0b8` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:dede4199d6a228d90afc80447d04a666ddb81733d2cc5b795872e596daffd844` | +| `latest-dev` | December 6th | `sha256:5be8d65c85d1e7ee627aea444d1056f338761e4eb7cd389c06108af97acc4441` | diff --git a/content/chainguard/chainguard-images/reference/tigera-operator/provenance_info.md b/content/chainguard/chainguard-images/reference/tigera-operator/provenance_info.md index 8b02eb08de..ee889dd26e 100644 --- a/content/chainguard/chainguard-images/reference/tigera-operator/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tigera-operator/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tigera-operator Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tigera-operator** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tigera-operator | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tigera-operator | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tigera- | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tigera-operator image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tigera-operator image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tigera-operator + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tigera-operator ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tigera-operator/tags_history.md b/content/chainguard/chainguard-images/reference/tigera-operator/tags_history.md index f9b57427c4..2e1082d3a8 100644 --- a/content/chainguard/chainguard-images/reference/tigera-operator/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tigera-operator/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tigera-operator Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:0fe39b37f2fe5639bf44914333eeb9359f6bfd59d021a26eb3243b171080f081` | -| `latest-dev` | November 29th | `sha256:f0852a15930e84ff2d9adf39138ca97b2adf8df7f203bebac405e2466b7be4c4` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:484aacbae09ec8253ab7ef7a1b10d91ff23d884c58b014af7b41d52ec2b4126f` | +| `latest` | December 6th | `sha256:3163eb47313d20d3b8e18e6f8b16bdae685b44cba7c03b9b367ba2daad0866dd` | diff --git a/content/chainguard/chainguard-images/reference/timestamp-authority-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/timestamp-authority-cli/provenance_info.md index 2eb3bc9e5a..3ad6df79e2 100644 --- a/content/chainguard/chainguard-images/reference/timestamp-authority-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/timestamp-authority-cli/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for timestamp-authority-cli Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **timestamp-authority-cli** Chainguard Images are signed using Sigstore, and The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/timestamp-authority-cli | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/timestamp-authority-cli | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the timesta | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the timestamp-authority-cli image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the timestamp-authority-cli image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/timestamp-authority-cli + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/timestamp-authority-cli ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/timestamp-authority-cli/tags_history.md b/content/chainguard/chainguard-images/reference/timestamp-authority-cli/tags_history.md index 5bd6403e59..1154452b15 100644 --- a/content/chainguard/chainguard-images/reference/timestamp-authority-cli/tags_history.md +++ b/content/chainguard/chainguard-images/reference/timestamp-authority-cli/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the timestamp-authority-cli Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:f3d2012ed5f2ebe8810628e8daadfc6306a8a0f08dc1ae81473aaf815eb94b27` | -| `latest` | November 29th | `sha256:7f1178803d6ee3c577105722eda82c353e5f51ca937b1dc5adf168dd5f073b28` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:891d121b35b5d6b7b80a5ee4c58a43ad2da78c3602ab3b42be80388da7bdc73a` | +| `latest-dev` | December 6th | `sha256:9c6c7cfd2b728bc8fd4438ecae01a052a308a05720142d3b982fcda1b6cee80a` | diff --git a/content/chainguard/chainguard-images/reference/timestamp-authority-server/provenance_info.md b/content/chainguard/chainguard-images/reference/timestamp-authority-server/provenance_info.md index 6d712bde66..be03bcd1c3 100644 --- a/content/chainguard/chainguard-images/reference/timestamp-authority-server/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/timestamp-authority-server/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for timestamp-authority-server Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **timestamp-authority-server** Chainguard Images are signed using Sigstore, The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/timestamp-authority-server | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/timestamp-authority-server | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the timesta | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the timestamp-authority-server image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the timestamp-authority-server image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/timestamp-authority-server + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/timestamp-authority-server ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/timestamp-authority-server/tags_history.md b/content/chainguard/chainguard-images/reference/timestamp-authority-server/tags_history.md index 738732dbc8..ffdeec3acf 100644 --- a/content/chainguard/chainguard-images/reference/timestamp-authority-server/tags_history.md +++ b/content/chainguard/chainguard-images/reference/timestamp-authority-server/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the timestamp-authority-server Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:cff587d22d2e5189b3d503e173e6ef09e16fa05d4baf634464c01dc32770e804` | -| `latest` | November 29th | `sha256:b485e3a7a2317a7b4b2bd0189e30b83cd7cf48e04d55d7b045198442e6935b6b` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:877bcb31cefea8e5d707e1596629ef029d5684b7a7d0041d689044cb07c7ce36` | +| `latest` | December 6th | `sha256:d4ae58a0386b1195be404b6a42212f5bacc0e0bb2cf2a72fcacc6e803dc653d9` | diff --git a/content/chainguard/chainguard-images/reference/timoni/provenance_info.md b/content/chainguard/chainguard-images/reference/timoni/provenance_info.md index 2f130247fa..c437ecfe5f 100644 --- a/content/chainguard/chainguard-images/reference/timoni/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/timoni/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for timoni Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **timoni** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/timoni | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/timoni | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the timoni | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the timoni image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the timoni image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/timoni + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/timoni ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/timoni/tags_history.md b/content/chainguard/chainguard-images/reference/timoni/tags_history.md index 629c09f36a..b03d5ffa06 100644 --- a/content/chainguard/chainguard-images/reference/timoni/tags_history.md +++ b/content/chainguard/chainguard-images/reference/timoni/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the timoni Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:829fc29d40701a9f55868eee0fde2f3ba1525a52ba07f1d3e0a379ae63060cef` | -| `latest-dev` | November 29th | `sha256:16e7572650dad697c84da196e662636c8f67f1df6528ef2ba9410cfc95acfe66` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:36ee27cbd7be34a400a9df63cce53aa7d0c0678500ce4041994de7960fbbb1e3` | +| `latest` | December 6th | `sha256:caf35770a913bff69880f8790e6e681f06ae40782c6c2c6b44355390c058050b` | diff --git a/content/chainguard/chainguard-images/reference/tomcat/provenance_info.md b/content/chainguard/chainguard-images/reference/tomcat/provenance_info.md index 9b1a18529c..ad472d9187 100644 --- a/content/chainguard/chainguard-images/reference/tomcat/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/tomcat/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for tomcat Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **tomcat** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/tomcat | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tomcat | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the tomcat | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tomcat image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the tomcat image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/tomcat + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/tomcat ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/tomcat/tags_history.md b/content/chainguard/chainguard-images/reference/tomcat/tags_history.md index 90bdd4de27..611c63d77d 100644 --- a/content/chainguard/chainguard-images/reference/tomcat/tags_history.md +++ b/content/chainguard/chainguard-images/reference/tomcat/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the tomcat Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:30564ad789836c73a22e21e5eb68c3b23e147fdb4dfff7f6267e12266c09eb54` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:cde7e829c34bccc53274a5a137b8705c2b4cb113000bf0310593bcfb88c26e99` | diff --git a/content/chainguard/chainguard-images/reference/traefik/provenance_info.md b/content/chainguard/chainguard-images/reference/traefik/provenance_info.md index e810eda932..8b47aca6a3 100644 --- a/content/chainguard/chainguard-images/reference/traefik/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/traefik/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for traefik Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **traefik** Chainguard Images are signed using Sigstore, and you can check t The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/traefik | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/traefik | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the traefik | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the traefik image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the traefik image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/traefik + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/traefik ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/traefik/tags_history.md b/content/chainguard/chainguard-images/reference/traefik/tags_history.md index 1e4a5fe7fb..1512eb5164 100644 --- a/content/chainguard/chainguard-images/reference/traefik/tags_history.md +++ b/content/chainguard/chainguard-images/reference/traefik/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the traefik Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:4abcb3494a2fb636c78c53b940ce48476f042dd27aa914f8bb72b0ea1784c28c` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:45649588a30190750e81d6751d5b3ecf0aa4c764591e35eaaeb74ea528d3a5dc` | diff --git a/content/chainguard/chainguard-images/reference/trillian-logserver/provenance_info.md b/content/chainguard/chainguard-images/reference/trillian-logserver/provenance_info.md index de7ff1ecb4..1ba9b91b92 100644 --- a/content/chainguard/chainguard-images/reference/trillian-logserver/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/trillian-logserver/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for trillian-logserver Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **trillian-logserver** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/trillian-logserver | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/trillian-logserver | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the trillia | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trillian-logserver image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trillian-logserver image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/trillian-logserver + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/trillian-logserver ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/trillian-logserver/tags_history.md b/content/chainguard/chainguard-images/reference/trillian-logserver/tags_history.md index ec5d966b6e..4f60c55d29 100644 --- a/content/chainguard/chainguard-images/reference/trillian-logserver/tags_history.md +++ b/content/chainguard/chainguard-images/reference/trillian-logserver/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the trillian-logserver Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:5f51dbb69807962975576e48fe0736eda21a227345617c995967ea333738d7eb` | -| `latest-dev` | November 29th | `sha256:a458ebf1154415a22a9f686e772c238f3121f3d0a55686825d17f37e0f80dd2b` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:cbf9a95f73c4afc39bee60fec55ed7f240845483ddb1de0f18b5a9d56defe800` | +| `latest` | December 6th | `sha256:b4ce6c05bf793681c8d8505a201819a84ff9b56fc0f862ad732d466ae3553708` | diff --git a/content/chainguard/chainguard-images/reference/trillian-logsigner/provenance_info.md b/content/chainguard/chainguard-images/reference/trillian-logsigner/provenance_info.md index 93768e6173..2dfb2f7d09 100644 --- a/content/chainguard/chainguard-images/reference/trillian-logsigner/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/trillian-logsigner/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for trillian-logsigner Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **trillian-logsigner** Chainguard Images are signed using Sigstore, and you The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/trillian-logsigner | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/trillian-logsigner | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the trillia | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trillian-logsigner image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trillian-logsigner image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/trillian-logsigner + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/trillian-logsigner ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/trillian-logsigner/tags_history.md b/content/chainguard/chainguard-images/reference/trillian-logsigner/tags_history.md index 1e4d771f79..b019cb9767 100644 --- a/content/chainguard/chainguard-images/reference/trillian-logsigner/tags_history.md +++ b/content/chainguard/chainguard-images/reference/trillian-logsigner/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the trillian-logsigner Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:2938545c1c4e0999286011a1218ce69f33103b208d844756a9cb179c341b07ad` | -| `latest-dev` | November 29th | `sha256:615f00e133c38fe8b3a0a912ff453b805ebaa6f300c8220e8047a5c1d8e9f5fd` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:24aee764f6b2b967698f84395231de9634462f8ef0f3c59b87f4b9a57fa72c5b` | +| `latest` | December 6th | `sha256:253f21d1f7b1764d2b47751e7b0e52e0de53ce25caeb6a7c893442ebb32f01f6` | diff --git a/content/chainguard/chainguard-images/reference/trino/provenance_info.md b/content/chainguard/chainguard-images/reference/trino/provenance_info.md index 5aaa20d87b..0122a4fd77 100644 --- a/content/chainguard/chainguard-images/reference/trino/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/trino/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for trino Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **trino** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/trino | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/trino | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the trino i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trino image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trino image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/trino + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/trino ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/trino/tags_history.md b/content/chainguard/chainguard-images/reference/trino/tags_history.md index 13190cd0b9..a653ab354c 100644 --- a/content/chainguard/chainguard-images/reference/trino/tags_history.md +++ b/content/chainguard/chainguard-images/reference/trino/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the trino Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 28th | `sha256:069fcc02cf0d67f8b0c5d17eabc00fe94ef299b10364a206a81ab56d633b9b4e` | -| `latest` | November 28th | `sha256:7a2be851e835c041d850f8563d32c7aaebde07e1eaf68b89061cbd80543d1456` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:caaca31067c79c9db300daae896794a428d984723586319610eb9b9bdb2000ac` | +| `latest-dev` | December 6th | `sha256:b96998ccfef0b81f26b712cdf73d86ddeb8f1a9a3c0d338e41a93fbc2cb89668` | diff --git a/content/chainguard/chainguard-images/reference/trust-manager/provenance_info.md b/content/chainguard/chainguard-images/reference/trust-manager/provenance_info.md index a173451d96..89206b798f 100644 --- a/content/chainguard/chainguard-images/reference/trust-manager/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/trust-manager/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for trust-manager Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **trust-manager** Chainguard Images are signed using Sigstore, and you can c The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/trust-manager | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/trust-manager | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the trust-m | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trust-manager image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the trust-manager image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/trust-manager + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/trust-manager ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/trust-manager/tags_history.md b/content/chainguard/chainguard-images/reference/trust-manager/tags_history.md index 3f1d7dd8fd..af3f34a1e7 100644 --- a/content/chainguard/chainguard-images/reference/trust-manager/tags_history.md +++ b/content/chainguard/chainguard-images/reference/trust-manager/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the trust-manager Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 27th | `sha256:3c8ce1665c44145b50fd4d12b4f2567b36e8cf6237886193b7b932f3c0eddbcd` | -| `latest` | October 30th | `sha256:c1a119251436d65416735766335fe097fecbe01c8ebe0c529f8350ddddb2abb4` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:512ed8a4ea5b3973f0423807bca575dba76daf0b1771e13e4488bc656eff32b0` | +| `latest` | December 6th | `sha256:c62844240669f622a02e23e70239def80d75c29602aabe9c6e3716554f03ec75` | diff --git a/content/chainguard/chainguard-images/reference/vault-k8s/provenance_info.md b/content/chainguard/chainguard-images/reference/vault-k8s/provenance_info.md index 2e5feec0cf..1e17a29cdd 100644 --- a/content/chainguard/chainguard-images/reference/vault-k8s/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vault-k8s/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for vault-k8s Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **vault-k8s** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/vault-k8s | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vault-k8s | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the vault-k | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vault-k8s image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vault-k8s image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/vault-k8s + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vault-k8s ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/vault-k8s/tags_history.md b/content/chainguard/chainguard-images/reference/vault-k8s/tags_history.md index d28bd25973..2f3ac2d7da 100644 --- a/content/chainguard/chainguard-images/reference/vault-k8s/tags_history.md +++ b/content/chainguard/chainguard-images/reference/vault-k8s/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the vault-k8s Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 27th | `sha256:670f3b0989428b397735e3021e91f8df4af5b0a16e0cb5a523e708ac386dbd9a` | -| `latest` | November 16th | `sha256:7b5fa21aa3a13a93faae0934b568de3c938847ffc0e9afca04e064540953f8b8` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:308a82dbcc995ad11af8cc5b0c4e2c1321a72ffcb8b432fc4a98c8720d73f2c1` | +| `latest` | December 6th | `sha256:b05abe781daad26de48dcc4a8bfb9966bdd86d32f7c91021a4a39cec0f0dcc31` | diff --git a/content/chainguard/chainguard-images/reference/vault/provenance_info.md b/content/chainguard/chainguard-images/reference/vault/provenance_info.md index a945a614d2..01c2ea6970 100644 --- a/content/chainguard/chainguard-images/reference/vault/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vault/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for vault Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **vault** Chainguard Images are signed using Sigstore, and you can check the The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/vault | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vault | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the vault i | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vault image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vault image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/vault + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vault ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/vault/tags_history.md b/content/chainguard/chainguard-images/reference/vault/tags_history.md index 01ed9ac6d1..43bf19cb6d 100644 --- a/content/chainguard/chainguard-images/reference/vault/tags_history.md +++ b/content/chainguard/chainguard-images/reference/vault/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the vault Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 27th | `sha256:a575d9017c619b38d688206558eb41c060f77d56cf583bae97890f07cdb3f289` | -| `latest` | November 24th | `sha256:76c1bd9782bae3cca35e7501a66952f0a98e27b0a838f8ea6eabd3b3b3f0fb89` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:37ca99abc1f584160d795e2342c02bb9a4207d6ec302955b098c5a58b90da810` | +| `latest-dev` | December 6th | `sha256:8717d582a95e4a98c641d783d1f899ecb7e957455e01890afd2f3e6144792480` | diff --git a/content/chainguard/chainguard-images/reference/vector/provenance_info.md b/content/chainguard/chainguard-images/reference/vector/provenance_info.md index 7689847f88..3f62d0f17b 100644 --- a/content/chainguard/chainguard-images/reference/vector/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vector/provenance_info.md @@ -3,8 +3,8 @@ title: "Provenance Information for vector Images" type: "article" unlisted: true description: "Provenance information for vector Chainguard Image" -date: 2023-11-30 00:18:09 -lastmod: 2022-11-01T11:07:52+02:00 +date: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **vector** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/vector | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vector | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the vector | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vector image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vector image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/vector + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vector ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/vector/tags_history.md b/content/chainguard/chainguard-images/reference/vector/tags_history.md index be70cc5919..d1d72c7185 100644 --- a/content/chainguard/chainguard-images/reference/vector/tags_history.md +++ b/content/chainguard/chainguard-images/reference/vector/tags_history.md @@ -3,8 +3,8 @@ title: "vector Image Tags History" type: "article" unlisted: true description: "Image Tags and History for the vector Chainguard Image" -date: 2023-11-30 00:18:09 -lastmod: 2023-06-22T11:07:52+02:00 +date: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 27th | `sha256:67efc0578dbd11771a822461512cf1f74661aa4e863da0ed27367c4da72b405c` | -| `latest-dev` | November 27th | `sha256:1041bb468f88dab37b1e587b3ce05b76ef67d20a037a4b06041bb5ba30ee1e76` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:f18bc3b2d6673c62e7f1cf08b39de3981c8623179fd28ff09955f3fbbefb0612` | +| `latest-dev` | December 6th | `sha256:48f3d2b375c097b1152b777b22b937714586bf36fe2971239ec918f8b9e1f716` | diff --git a/content/chainguard/chainguard-images/reference/vela-cli/provenance_info.md b/content/chainguard/chainguard-images/reference/vela-cli/provenance_info.md index 5d3229d9bd..ee3c538288 100644 --- a/content/chainguard/chainguard-images/reference/vela-cli/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vela-cli/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for vela-cli Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **vela-cli** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/vela-cli | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vela-cli | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the vela-cl | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vela-cli image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vela-cli image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/vela-cli + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vela-cli ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/vela-cli/tags_history.md b/content/chainguard/chainguard-images/reference/vela-cli/tags_history.md index b8d68bdaa7..a45241c27e 100644 --- a/content/chainguard/chainguard-images/reference/vela-cli/tags_history.md +++ b/content/chainguard/chainguard-images/reference/vela-cli/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the vela-cli Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:7c9a77d9b23c8c6341ce9801105cc020d0cc1e65355b8968f317c9dc5cfce6a8` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:41d9befe2ab33b4aff812201bde6381b5693279a2677645c7bc58739e259aad3` | diff --git a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/provenance_info.md b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/provenance_info.md index bf3217e18d..f0915ff0ae 100644 --- a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for vertical-pod-autoscaler-admission-controller Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **vertical-pod-autoscaler-admission-controller** Chainguard Images are signe The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/vertical-pod-autoscaler-admission-controller | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vertical-pod-autoscaler-admission-controller | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the vertica | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vertical-pod-autoscaler-admission-controller image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vertical-pod-autoscaler-admission-controller image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/vertical-pod-autoscaler-admission-controller + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vertical-pod-autoscaler-admission-controller ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/tags_history.md b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/tags_history.md index 23c435f171..5327af74bc 100644 --- a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/tags_history.md +++ b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-admission-controller/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the vertical-pod-autoscaler-admission-controller Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:ff6fa6d6f3e24075ae6738d1a95fa69bdb089f70cccd28b443677e5a16981cbd` | -| `latest-dev` | November 29th | `sha256:91995bf076b6e69a3026984792be384bc8663d2ea4955ed7c3675f86d3da0836` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:32874937ddaff291f45ee752f33cefc2bf668a9f11d334818c90da759197b587` | +| `latest` | December 6th | `sha256:855b7535dbd28fb5d4263249d8b55fda1cea8b90591816e6d738f52333ffced4` | diff --git a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/provenance_info.md b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/provenance_info.md index a327db6470..31128892e9 100644 --- a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for vertical-pod-autoscaler-recommender Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **vertical-pod-autoscaler-recommender** Chainguard Images are signed using S The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/vertical-pod-autoscaler-recommender | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vertical-pod-autoscaler-recommender | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the vertica | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vertical-pod-autoscaler-recommender image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vertical-pod-autoscaler-recommender image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/vertical-pod-autoscaler-recommender + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vertical-pod-autoscaler-recommender ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/tags_history.md b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/tags_history.md index ecdfdcd4f0..c70c4fd3e2 100644 --- a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/tags_history.md +++ b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-recommender/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the vertical-pod-autoscaler-recommender Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:9cb1309ef7b4298b0706d85ae5bced89d074469bb03843c2e8c897482eec451e` | -| `latest` | November 29th | `sha256:ac922f4100fe1c37f9235bd6c444d1bdf11f4f3a13b91bb147a05d4ac2c844a0` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:1823c982719659550a7dd5e788f9b97992e5c8e50daba9937d0c1af37ea87edd` | +| `latest-dev` | December 6th | `sha256:6f5ac2b89c6e8f330739d45dbdbf6a21d512d5b8b1fa729c7dbdaa0627ea4b35` | diff --git a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/provenance_info.md b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/provenance_info.md index 0c30fe440c..4863cb032c 100644 --- a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for vertical-pod-autoscaler-updater Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **vertical-pod-autoscaler-updater** Chainguard Images are signed using Sigst The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/vertical-pod-autoscaler-updater | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vertical-pod-autoscaler-updater | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the vertica | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vertical-pod-autoscaler-updater image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vertical-pod-autoscaler-updater image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/vertical-pod-autoscaler-updater + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vertical-pod-autoscaler-updater ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/tags_history.md b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/tags_history.md index 6b8722c6ca..af1ece97ca 100644 --- a/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/tags_history.md +++ b/content/chainguard/chainguard-images/reference/vertical-pod-autoscaler-updater/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the vertical-pod-autoscaler-updater Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:4330da0a3176f6419826e8aabbbb2119ac34c6779960ec27a5a3b079b19cde12` | -| `latest` | November 29th | `sha256:8f9ce9abc18d8593af399fc4a248cb977e18c226802b9945ce4d15a0dc50cb96` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:62e4c07b3d40922dc095511fb1f612d76672465b85b98a1651890a77b3b08ccd` | +| `latest` | December 6th | `sha256:020d973111762c3cff5b1415a22f70f50af7431995cb97874023cf67b0a7c40c` | diff --git a/content/chainguard/chainguard-images/reference/vt/provenance_info.md b/content/chainguard/chainguard-images/reference/vt/provenance_info.md index bf8de68e04..8aa57fd961 100644 --- a/content/chainguard/chainguard-images/reference/vt/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/vt/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for vt Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **vt** Chainguard Images are signed using Sigstore, and you can check the in The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/vt | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vt | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the vt imag | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vt image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the vt image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/vt + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/vt ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/vt/tags_history.md b/content/chainguard/chainguard-images/reference/vt/tags_history.md index d5279d17db..8713ee9bb9 100644 --- a/content/chainguard/chainguard-images/reference/vt/tags_history.md +++ b/content/chainguard/chainguard-images/reference/vt/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the vt Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:27c6f7cbf09a86e947ad5d84d9be1720de83838a80e50d5db0a877c769844e5d` | -| `latest-dev` | November 29th | `sha256:e37912d46b1a5e15e71896f9ce8d33efe6036a5010ab6f9112d70ac17073e49b` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:c93891ce0e3bc48d5a4e5a2a71e12c0adf539f1d39b1ba20f0fbc97c1ad06792` | +| `latest-dev` | December 6th | `sha256:ddebfcea48f170575a29e9c43b0ec4272b1e99862a35aac8c839bec619f91ba6` | diff --git a/content/chainguard/chainguard-images/reference/wait-for-it/provenance_info.md b/content/chainguard/chainguard-images/reference/wait-for-it/provenance_info.md index 3bcae1c4f5..37f710c6d6 100644 --- a/content/chainguard/chainguard-images/reference/wait-for-it/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wait-for-it/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for wait-for-it Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **wait-for-it** Chainguard Images are signed using Sigstore, and you can che The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/wait-for-it | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wait-for-it | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the wait-fo | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wait-for-it image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wait-for-it image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/wait-for-it + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wait-for-it ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/wait-for-it/tags_history.md b/content/chainguard/chainguard-images/reference/wait-for-it/tags_history.md index 43dce7cfaf..c746e1b229 100644 --- a/content/chainguard/chainguard-images/reference/wait-for-it/tags_history.md +++ b/content/chainguard/chainguard-images/reference/wait-for-it/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the wait-for-it Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 16th | `sha256:ffab5a8d7b7da2d04f433d0321cc5c34d8aa53bd15dd54eb2e4cd9c0d3d3cf5e` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:ceb278e61a71f6f36454d01b55434bae46ae654e9a786b634f1d485d9448e114` | diff --git a/content/chainguard/chainguard-images/reference/wasmer/provenance_info.md b/content/chainguard/chainguard-images/reference/wasmer/provenance_info.md index 184c005aea..e75f8f986d 100644 --- a/content/chainguard/chainguard-images/reference/wasmer/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wasmer/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for wasmer Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **wasmer** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/wasmer | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wasmer | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the wasmer | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wasmer image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wasmer image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/wasmer + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wasmer ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/wasmer/tags_history.md b/content/chainguard/chainguard-images/reference/wasmer/tags_history.md index 62987fbe8a..4ea03a85d2 100644 --- a/content/chainguard/chainguard-images/reference/wasmer/tags_history.md +++ b/content/chainguard/chainguard-images/reference/wasmer/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the wasmer Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:058c577d5ae19bb097c13984225eb64d21ec6086f0085331ea0093868be34dc1` | -| `latest` | November 29th | `sha256:3818f6761565b2356b330747f7adae02efd7904d628fba3eb1ee87ea0e0b7464` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:f81bb64c32bdef0714f4c7ccee134f409bc6ce01ad8c5b3ed4d361e90fb714b3` | +| `latest` | December 6th | `sha256:2fed31a6bf1566d350666486d985623d658db2c6c1ab2bfcb32c519b38e19b04` | diff --git a/content/chainguard/chainguard-images/reference/wasmtime/provenance_info.md b/content/chainguard/chainguard-images/reference/wasmtime/provenance_info.md index 3ec18cac17..6354d7c173 100644 --- a/content/chainguard/chainguard-images/reference/wasmtime/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wasmtime/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for wasmtime Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **wasmtime** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/wasmtime | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wasmtime | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the wasmtim | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wasmtime image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wasmtime image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/wasmtime + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wasmtime ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/wasmtime/tags_history.md b/content/chainguard/chainguard-images/reference/wasmtime/tags_history.md index f2de8598fd..a9f2ff38ad 100644 --- a/content/chainguard/chainguard-images/reference/wasmtime/tags_history.md +++ b/content/chainguard/chainguard-images/reference/wasmtime/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the wasmtime Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 27th | `sha256:4b37e51911a1dde7641ae23ec3885c75056c0ec9cd7b11bae9ffc8bee1187f74` | -| `latest` | November 22nd | `sha256:c130f345c30f339cb711bf4287f9507331dd055e60b33704ee0d6246cf9ee851` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:8c626aa7fd5a8c6cb29c175f455de24e3ee443f9a71477551fdc1156a70f8868` | +| `latest` | December 6th | `sha256:06977a956aff5e010df4394f8102333f403bc23eca29e7e33e32909ff5fba3f9` | diff --git a/content/chainguard/chainguard-images/reference/wavefront-proxy/provenance_info.md b/content/chainguard/chainguard-images/reference/wavefront-proxy/provenance_info.md index 582d7cc9b2..44d6596a96 100644 --- a/content/chainguard/chainguard-images/reference/wavefront-proxy/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wavefront-proxy/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for wavefront-proxy Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **wavefront-proxy** Chainguard Images are signed using Sigstore, and you can The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/wavefront-proxy | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wavefront-proxy | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the wavefro | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wavefront-proxy image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wavefront-proxy image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/wavefront-proxy + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wavefront-proxy ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/wavefront-proxy/tags_history.md b/content/chainguard/chainguard-images/reference/wavefront-proxy/tags_history.md index d5a4956fde..7096943a10 100644 --- a/content/chainguard/chainguard-images/reference/wavefront-proxy/tags_history.md +++ b/content/chainguard/chainguard-images/reference/wavefront-proxy/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the wavefront-proxy Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:da29ff140c9fb31e48803bfc2b5b59a290efe78b70483ae374a47fb09a163149` | -| `latest-dev` | November 29th | `sha256:afa6ce1132cbe4154ce95469762bb3a2ad02a86f7c9066b37cc3fc92d48b742f` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:a7ed987f739326c81206a19fcdbf9246d0d3772cd70d84929555892117ac001b` | +| `latest` | December 6th | `sha256:8552e32c772d771cbdafb933a6b54c8c2b686f70a599aec4a7aabf897b8ae0b1` | diff --git a/content/chainguard/chainguard-images/reference/wazero/provenance_info.md b/content/chainguard/chainguard-images/reference/wazero/provenance_info.md index ce7d0b9de1..21d93cab57 100644 --- a/content/chainguard/chainguard-images/reference/wazero/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wazero/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for wazero Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **wazero** Chainguard Images are signed using Sigstore, and you can check th The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/wazero | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wazero | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the wazero | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wazero image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wazero image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/wazero + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wazero ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/wazero/tags_history.md b/content/chainguard/chainguard-images/reference/wazero/tags_history.md index b596b235d1..fd8af218cb 100644 --- a/content/chainguard/chainguard-images/reference/wazero/tags_history.md +++ b/content/chainguard/chainguard-images/reference/wazero/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the wazero Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 27th | `sha256:24c9f019a6c8473b573451bd73d1777f2fadb297084403f38de1adfcfa245429` | -| `latest` | October 30th | `sha256:db284db9917faa47862e1f64c9d528456b6d970764054e635f9707badc145706` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:9671e987e07d03b2e4e8704a166da96d7360ccfc91c21d30fc135c7e7b502b0f` | +| `latest` | December 6th | `sha256:080a7c103b3503a27b06faa7c7b77c786ecaeff91998faab5ecde99eee1011d5` | diff --git a/content/chainguard/chainguard-images/reference/weaviate/provenance_info.md b/content/chainguard/chainguard-images/reference/weaviate/provenance_info.md index cd663fc717..365ae8f4db 100644 --- a/content/chainguard/chainguard-images/reference/weaviate/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/weaviate/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for weaviate Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **weaviate** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/weaviate | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/weaviate | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the weaviat | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the weaviate image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the weaviate image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/weaviate + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/weaviate ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/weaviate/tags_history.md b/content/chainguard/chainguard-images/reference/weaviate/tags_history.md index 021d1620ae..a1259a0b41 100644 --- a/content/chainguard/chainguard-images/reference/weaviate/tags_history.md +++ b/content/chainguard/chainguard-images/reference/weaviate/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the weaviate Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 27th | `sha256:572db68d831bdc3a5da4b7541d8f1e07105bb612c048935cf56d8c50d0859f51` | -| `latest` | November 27th | `sha256:fe1053b345560375fedfcf4fcfe1b1a558eaed03bcf4b713607eea451a735e97` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest-dev` | December 6th | `sha256:bd683543e3c46172e510faecba0b6d5247c8e69936ac4c56057d2d4aff890478` | +| `latest` | December 6th | `sha256:e097d1157ff126898935c8bcb3bc8fa2a08a83e2b848befc280014601d0ca400` | diff --git a/content/chainguard/chainguard-images/reference/wolfi-base/provenance_info.md b/content/chainguard/chainguard-images/reference/wolfi-base/provenance_info.md index 61247968e7..075fe31950 100644 --- a/content/chainguard/chainguard-images/reference/wolfi-base/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/wolfi-base/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for wolfi-base Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **wolfi-base** Chainguard Images are signed using Sigstore, and you can chec The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/wolfi-base | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wolfi-base | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the wolfi-b | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wolfi-base image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the wolfi-base image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/wolfi-base + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/wolfi-base ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/wolfi-base/tags_history.md b/content/chainguard/chainguard-images/reference/wolfi-base/tags_history.md index 5f5f247f8e..1ae2d27e0a 100644 --- a/content/chainguard/chainguard-images/reference/wolfi-base/tags_history.md +++ b/content/chainguard/chainguard-images/reference/wolfi-base/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the wolfi-base Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-06-22T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,7 +23,7 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|-----------|---------------|---------------------------------------------------------------------------| -| `latest` | November 27th | `sha256:91f3e08712a854ff4a146b7cca7f1b7581f205bc589a06135f51590e00d2990e` | +| Tag (s) | Last Changed | Digest | +|-----------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:575e8496bd9e839506cc5dca5a99cc2eebac714aa96032c24bb08516f7d78f63` | diff --git a/content/chainguard/chainguard-images/reference/zig/provenance_info.md b/content/chainguard/chainguard-images/reference/zig/provenance_info.md index 1caa3e4fc0..ca5d074486 100644 --- a/content/chainguard/chainguard-images/reference/zig/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/zig/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for zig Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **zig** Chainguard Images are signed using Sigstore, and you can check the i The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/zig | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/zig | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the zig ima | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the zig image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the zig image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/zig + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/zig ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/zig/tags_history.md b/content/chainguard/chainguard-images/reference/zig/tags_history.md index 04ac0a0c08..a406525485 100644 --- a/content/chainguard/chainguard-images/reference/zig/tags_history.md +++ b/content/chainguard/chainguard-images/reference/zig/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the zig Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:d7304b468cd85c8ba00d1a13bf242d68f65fd3207f866ede4b4a8c44605052ec` | -| `latest-dev` | November 27th | `sha256:aa6a585c305480bb1f20e1649cae48ecb457bda0f506e5e9166eb831b73e84fe` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:a3c19645826dce07ba8e555174ecc880fb2154a0df56e75698069c72f34356f8` | +| `latest-dev` | December 6th | `sha256:67cd38813c91da3569ee6deeefccc4826fd9d73afb2e171eabf00593364eb5a3` | diff --git a/content/chainguard/chainguard-images/reference/zookeeper/image_specs.md b/content/chainguard/chainguard-images/reference/zookeeper/image_specs.md index 9a6edb1af8..8da9525190 100644 --- a/content/chainguard/chainguard-images/reference/zookeeper/image_specs.md +++ b/content/chainguard/chainguard-images/reference/zookeeper/image_specs.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Detailed information about the public zookeeper Chainguard Image variants" date: 2023-03-07T11:07:52+02:00 -lastmod: 2023-03-07T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -50,6 +50,7 @@ The table shows package distribution across variants. | `busybox` | X | X | | `ca-certificates` | X | X | | `ca-certificates-bundle` | X | X | +| `coreutils` | X | X | | `fontconfig-config` | X | X | | `freetype` | X | X | | `git` | X | | @@ -59,6 +60,8 @@ The table shows package distribution across variants. | `java-cacerts` | X | X | | `java-common` | X | X | | `ld-linux` | X | X | +| `libacl1` | X | X | +| `libattr1` | X | X | | `libbrotlicommon1` | X | X | | `libbrotlidec1` | X | X | | `libbsd` | X | X | diff --git a/content/chainguard/chainguard-images/reference/zookeeper/provenance_info.md b/content/chainguard/chainguard-images/reference/zookeeper/provenance_info.md index 6ef6579af5..274f945f7d 100644 --- a/content/chainguard/chainguard-images/reference/zookeeper/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/zookeeper/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for zookeeper Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **zookeeper** Chainguard Images are signed using Sigstore, and you can check The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/zookeeper | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/zookeeper | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the zookeep | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the zookeeper image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the zookeeper image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/zookeeper + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/zookeeper ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/zookeeper/tags_history.md b/content/chainguard/chainguard-images/reference/zookeeper/tags_history.md index 4a6fbe2e16..db2ede6df0 100644 --- a/content/chainguard/chainguard-images/reference/zookeeper/tags_history.md +++ b/content/chainguard/chainguard-images/reference/zookeeper/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the zookeeper Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest-dev` | November 29th | `sha256:c975cf9a360e946e93adcdf7d417168f88f057729593050e579bcedc1cb96b64` | -| `latest` | November 29th | `sha256:f02cbbcf954a5b08ed6f461c54b239641736f8b410ee7e4cc9e6699b2e151842` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:5990e068fc6e70ca5a914357fae8941ad08a6f0088a59ab235f5313808bf8965` | +| `latest-dev` | December 6th | `sha256:8b49958276bac4ca0cf8a35e06651b4cf436acb7570ab77616e2324cde95968a` | diff --git a/content/chainguard/chainguard-images/reference/zot/provenance_info.md b/content/chainguard/chainguard-images/reference/zot/provenance_info.md index 0a6f12098a..e20ecfac2c 100644 --- a/content/chainguard/chainguard-images/reference/zot/provenance_info.md +++ b/content/chainguard/chainguard-images/reference/zot/provenance_info.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Provenance information for zot Chainguard Image" date: 2022-11-01T11:07:52+02:00 -lastmod: 2022-11-01T11:07:52+02:00 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -27,7 +27,10 @@ The **zot** Chainguard Images are signed using Sigstore, and you can check the i The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. ```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/zot | jq +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/zot | jq ``` By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. @@ -43,7 +46,7 @@ The following [attestations](https://slsa.dev/attestation-model) for the zot ima | `https://spdx.dev/Document` | Contains the image SBOM (Software Bill of Materials) in SPDX format. | -To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the zot image on `unix/amd64`: +To download an attestation, use the `cosign download attestation` command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the zot image on `linux/amd64`: ```shell cosign download attestation \ @@ -60,10 +63,10 @@ You can use the `cosign verify-attestation` command to check the signatures of t ```shell cosign verify-attestation \ ---type https://spdx.dev/Document \ ---certificate-oidc-issuer=https://token.actions.githubusercontent.com \ ---certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ -cgr.dev/chainguard/zot + --type https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ + cgr.dev/chainguard/zot ``` This will pull in the signature for the attestation specified by the `--type` parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign's transparency log: diff --git a/content/chainguard/chainguard-images/reference/zot/tags_history.md b/content/chainguard/chainguard-images/reference/zot/tags_history.md index b856273c6e..e3f6e26ed8 100644 --- a/content/chainguard/chainguard-images/reference/zot/tags_history.md +++ b/content/chainguard/chainguard-images/reference/zot/tags_history.md @@ -4,7 +4,7 @@ type: "article" unlisted: true description: "Image Tags and History for the zot Chainguard Image" date: 2023-06-22T11:07:52+02:00 -lastmod: 2023-11-30 00:18:09 +lastmod: 2023-12-06 18:44:36 draft: false tags: ["Reference", "Chainguard Images", "Product"] images: [] @@ -23,8 +23,8 @@ The following table contains the most recent tags and digests that can be used t Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). -| Tag (s) | Last Changed | Digest | -|---------------|---------------|---------------------------------------------------------------------------| -| `latest` | November 29th | `sha256:376751abad9324344f956c7f4803121230f109ea3c7b5c318ccaefd902964818` | -| `latest-dev` | November 29th | `sha256:5d3cdb4a63e043f2465daa5551d2a9728e3bf5718964721422c9e365bf72660a` | +| Tag (s) | Last Changed | Digest | +|---------------|--------------|---------------------------------------------------------------------------| +| `latest` | December 6th | `sha256:2fdc722d3fd4b43da504ea340bfc60091c5aaebc51be01a2b9c5c55a6e1acb1e` | +| `latest-dev` | December 6th | `sha256:9d5ddcf3aa8d611d0279bfca4e82990c8f79591028da27d190c5f6401b08e345` |