/
DirectorySecurity AdvisoriesPricing
Sign in
Directory
sigstore-scaffolding-tsa-createcertchain logo

sigstore-scaffolding-tsa-createcertchain

Last changed

Request a free trial

Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.

Tags
Overview
Comparison
Provenance
Specifications
SBOM
Vulnerabilities
Advisories

All Chainguard container images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image build and have a detailed list of everything that is packed within.

You'll need cosign and jq in order to download and verify image attestations.

Registry and Tags for sigstore-scaffolding-tsa-createcertchain Image

Attestations are provided per image build, so you'll need to specify the correct tag and registry when pulling attestations from an image with cosign.

  • cgr.dev/chainguard - the Public Registry contains our Starter Images, which typically comprise the latest* versions of an image.
  • cgr.dev/$ORGANIZATION - contains all Production Images that your organisation has access to.

The commands listed on this page will default to the latest tag, but you can specify a different tag to fetch attestations for.

Verifying sigstore-scaffolding-tsa-createcertchain Image Signatures

The sigstore-scaffolding-tsa-createcertchain Chainguard Containers are signed using Sigstore, and you can check the included signatures using cosign.

The cosign verify command will pull detailed information about all signatures found for the provided image.

Starter Images

cosign verify \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \
  cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain | jq

Production Images

ORGANIZATION=<your-org-name>
CATALOG_SYNCER=$(chainctl iam account-associations describe $ORGANIZATION -o json | jq -r '.[].chainguard.service_bindings.CATALOG_SYNCER')
APKO_BUILDER=$(chainctl iam account-associations describe $ORGANIZATION -o json | jq -r '.[].chainguard.service_bindings.APKO_BUILDER')

cosign verify \
  --certificate-oidc-issuer=https://issuer.enforce.dev \
  --certificate-identity-regexp="https://issuer.enforce.dev/(${CATALOG_SYNCER}|${APKO_BUILDER})" \
  cgr.dev/${ORGANIZATION}/sigstore-scaffolding-tsa-createcertchain | jq

Downloading sigstore-scaffolding-tsa-createcertchain Image Attestations

The following attestations for the sigstore-scaffolding-tsa-createcertchain image can be obtained and verified via cosign:

Attestation TypeDescription

https://slsa.dev/provenance/v1

The SLSA 1.0 provenance attestation contains information about the image build environment.

https://apko.dev/image-configuration

Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point.

https://spdx.dev/Document

Contains the image SBOM (Software Bill of Materials) in SPDX format.

To download an attestation, use the cosign download attestation command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the sigstore-scaffolding-tsa-createcertchain image on linux/amd64:

Starter Images

cosign download attestation \
  --platform=linux/amd64 \
  --predicate-type=https://spdx.dev/Document \
  cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain | jq -r .payload | base64 -d | jq .predicate

Production Images

cosign download attestation \
  --platform=linux/amd64 \
  --predicate-type=https://spdx.dev/Document \
  cgr.dev/$ORGANIZATION/sigstore-scaffolding-tsa-createcertchain | jq -r .payload | base64 -d | jq .predicate

By default, this command will fetch the SBOM assigned to the latest tag. You can also specify the tag you want to fetch the attestation from.

To download a different attestation, replace the --predicate-type parameter value with the desired attestation URL identifier.

Verifying sigstore-scaffolding-tsa-createcertchain Image Attestations

You can use the cosign verify-attestation command to check the signatures of the sigstore-scaffolding-tsa-createcertchain image attestations:

Starter Images

cosign verify-attestation \
  --type https://spdx.dev/Document \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \
  cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain

Production Images

ORGANIZATION=<your-org-name>
CATALOG_SYNCER=$(chainctl iam account-associations describe $ORGANIZATION -o json | jq -r '.[].chainguard.service_bindings.CATALOG_SYNCER')
APKO_BUILDER=$(chainctl iam account-associations describe $ORGANIZATION -o json | jq -r '.[].chainguard.service_bindings.APKO_BUILDER')

cosign verify-attestation \
  --type https://spdx.dev/Document \
  --certificate-oidc-issuer=https://issuer.enforce.dev \
  --certificate-identity-regexp="https://issuer.enforce.dev/(${CATALOG_SYNCER}|${APKO_BUILDER})" \
  cgr.dev/$ORGANIZATION/sigstore-scaffolding-tsa-createcertchain

This will pull in the signature for the attestation specified by the --type parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log:

Verification for cgr.dev/chainguard/sigstore-scaffolding-tsa-createcertchain --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject:  https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
Certificate issuer URL:  https://token.actions.githubusercontent.com
GitHub Workflow Trigger: schedule
GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696
GitHub Workflow Name: .github/workflows/release.yaml
GitHub Workflow Trigger chainguard-images/images
GitHub Workflow Ref: refs/heads/main
...

Safe Source for Open Sourceâ„¢
Contact us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing