All Chainguard container images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image build and have a detailed list of everything that is packed within.
You'll need cosign and jq in order to download and verify image attestations.
Registry and Tags for r-base Image
Attestations are provided per image build, so you'll need to specify the correct tag and registry when pulling attestations from an image with cosign
.
cgr.dev/chainguard
- the Public Registry contains our Starter Images, which typically comprise the latest*
versions of an image.
cgr.dev/$ORGANIZATION
- contains all Production Images that your organisation has access to.
The commands listed on this page will default to the latest
tag, but you can specify a different tag to fetch attestations for.
Verifying r-base Image Signatures
The r-base Chainguard Containers are signed using Sigstore, and you can check the included signatures using cosign
.
The cosign verify
command will pull detailed information about all signatures found for the provided image.
Starter Images
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \
cgr.dev/chainguard/r-base | jq
Production Images
ORGANIZATION=<your-org-name>
CATALOG_SYNCER=$(chainctl iam account-associations describe $ORGANIZATION -o json | jq -r '.[].chainguard.service_bindings.CATALOG_SYNCER')
APKO_BUILDER=$(chainctl iam account-associations describe $ORGANIZATION -o json | jq -r '.[].chainguard.service_bindings.APKO_BUILDER')
cosign verify \
--certificate-oidc-issuer=https://issuer.enforce.dev \
--certificate-identity-regexp="https://issuer.enforce.dev/(${CATALOG_SYNCER}|${APKO_BUILDER})" \
cgr.dev/${ORGANIZATION}/r-base | jq
Downloading r-base Image Attestations
The following attestations for the r-base image can be obtained and verified via cosign:
Attestation Type | Description |
---|
https://slsa.dev/provenance/v1
| The SLSA 1.0 provenance attestation contains information about the image build environment. |
https://apko.dev/image-configuration
| Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point. |
https://spdx.dev/Document
| Contains the image SBOM (Software Bill of Materials) in SPDX format. |
To download an attestation, use the cosign download attestation
command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the r-base image on linux/amd64
:
Starter Images
cosign download attestation \
--platform=linux/amd64 \
--predicate-type=https://spdx.dev/Document \
cgr.dev/chainguard/r-base | jq -r .payload | base64 -d | jq .predicate
Production Images
cosign download attestation \
--platform=linux/amd64 \
--predicate-type=https://spdx.dev/Document \
cgr.dev/$ORGANIZATION/r-base | jq -r .payload | base64 -d | jq .predicate
By default, this command will fetch the SBOM assigned to the latest
tag. You can also specify the tag you want to fetch the attestation from.
To download a different attestation, replace the --predicate-type
parameter value with the desired attestation URL identifier.
Verifying r-base Image Attestations
You can use the cosign verify-attestation
command to check the signatures of the r-base image attestations:
Starter Images
cosign verify-attestation \
--type https://spdx.dev/Document \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \
cgr.dev/chainguard/r-base
Production Images
cosign verify-attestation \
--type https://spdx.dev/Document \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/chainguard-images/images-private/.github/workflows/release.yaml@refs/heads/main \
cgr.dev/$ORGANIZATION/r-base
This will pull in the signature for the attestation specified by the --type
parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log:
Verification for cgr.dev/chainguard/r-base --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
Certificate issuer URL: https://token.actions.githubusercontent.com
GitHub Workflow Trigger: schedule
GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696
GitHub Workflow Name: .github/workflows/release.yaml
GitHub Workflow Trigger chainguard-images/images
GitHub Workflow Ref: refs/heads/main
...