Provenance Information for calico-pod2daemon Images
All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within.
Verifying Image Signatures
The calico-pod2daemon Chainguard Images are signed using Sigstore, and you can check the included signatures using
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/calico-pod2daemon | jq
By default, this command will fetch signatures for the
latest tag. You can also specify the tag you want to fetch signatures for.
Downloading and Verifying SBOMs
All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool:
cosign download attestation \ --predicate-type=https://spdx.dev/Document \ cgr.dev/chainguard/calico-pod2daemon | jq -r .payload | base64 -d | jq
By default, this command will fetch the SBOM assigned to the
latest tag. You can also specify the tag you want to fetch the SBOM from.
With cosign 2.0+, you can use the
cosign verify-attestation command to check the signature of an SBOM:
cosign verify-attestation \ --type https://spdx.dev/Document \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ cgr.dev/chainguard/calico-pod2daemon
And you should get output that verifies the SBOM signature in cosign’s transparency log:
Verification for cgr.dev/chainguard/calico-pod2daemon -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates Certificate subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main Certificate issuer URL: https://token.actions.githubusercontent.com GitHub Workflow Trigger: schedule GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696 GitHub Workflow Name: .github/workflows/release.yaml GitHub Workflow Trigger chainguard-images/images GitHub Workflow Ref: refs/heads/main ...
Last updated: 2022-11-01 11:07