Last changed
Get notified of upcoming product changes, critical vulnerability notifications and patches and more.
Sign InAll Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image build and have a detailed list of everything that is packed within.
You'll need cosign and jq in order to download and verify image attestations.
Attestations are provided per image build, so you'll need to specify the correct tag and registry when pulling attestations from an image with cosign
.
cgr.dev/chainguard
- the Public Registry contains our Developer Images, which typically comprise the latest*
versions of an image.cgr.dev/<your-org-name>
- contains all Production Images that your organisation has access to.The commands listed on this page will default to the latest
tag, but you can specify a different tag to fetch attestations for.
The openbao Chainguard Images are signed using Sigstore, and you can check the included signatures using cosign
.
The cosign verify
command will pull detailed information about all signatures found for the provided image.
The following attestations for the openbao image can be obtained and verified via cosign:
Attestation Type | Description |
---|---|
| The SLSA 1.0 provenance attestation contains information about the image build environment. |
| Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. |
| Contains the image SBOM (Software Bill of Materials) in SPDX format. |
To download an attestation, use the cosign download attestation
command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the openbao image on linux/amd64
:
By default, this command will fetch the SBOM assigned to the latest
tag. You can also specify the tag you want to fetch the attestation from.
To download a different attestation, replace the --predicate-type
parameter value with the desired attestation URL identifier.
You can use the cosign verify-attestation
command to check the signatures of the openbao image attestations:
This will pull in the signature for the attestation specified by the --type
parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log: