Product Docs
Open Source
Education
All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within.
The aws-efs-csi-driver Chainguard Images are signed using Sigstore, and you can check the included signatures using cosign.
cosign
The following command requires cosign and jq to be installed on your machine. It will pull detailed information about all signatures found for the provided image.
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/aws-efs-csi-driver | jq
By default, this command will fetch signatures for the latest tag. You can also specify the tag you want to fetch signatures for.
latest
All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool:
cosign download attestation \ --predicate-type=https://spdx.dev/Document \ cgr.dev/chainguard/aws-efs-csi-driver | jq -r .payload | base64 -d | jq
By default, this command will fetch the SBOM assigned to the latest tag. You can also specify the tag you want to fetch the SBOM from.
With cosign 2.0+, you can use the cosign verify-attestation command to check the signature of an SBOM:
cosign verify-attestation
cosign verify-attestation \ --type https://spdx.dev/Document \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ cgr.dev/chainguard/aws-efs-csi-driver
And you should get output that verifies the SBOM signature in cosign’s transparency log:
Verification for cgr.dev/chainguard/aws-efs-csi-driver -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates Certificate subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main Certificate issuer URL: https://token.actions.githubusercontent.com GitHub Workflow Trigger: schedule GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696 GitHub Workflow Name: .github/workflows/release.yaml GitHub Workflow Trigger chainguard-images/images GitHub Workflow Ref: refs/heads/main ...