Provenance Information for karpenter Images
All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within.
Verifying karpenter Image Signatures
The karpenter Chainguard Images are signed using Sigstore, and you can check the included signatures using
cosign verify \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ cgr.dev/chainguard/karpenter | jq
By default, this command will fetch signatures for the
latest tag. You can also specify the tag you want to fetch signatures for.
Downloading karpenter Image Attestations
The following attestations for the karpenter image can be obtained and verified via cosign:
|The SLSA 1.0 provenance attestation contains information about the image build environment.|
|Contains the configuration used by that particular image build, including direct dependencies, user accounts, and entry point.|
|Contains the image SBOM (Software Bill of Materials) in SPDX format.|
To download an attestation, use the
cosign download attestation command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the karpenter image on
cosign download attestation \ --platform=linux/amd64 \ --predicate-type=https://spdx.dev/Document \ cgr.dev/chainguard/karpenter | jq -r .payload | base64 -d | jq .predicate
By default, this command will fetch the SBOM assigned to the
latest tag. You can also specify the tag you want to fetch the attestation from.
To download a different attestation, replace the
--predicate-type parameter value with the desired attestation URL identifier.
Verifying karpenter Image Attestations
You can use the
cosign verify-attestation command to check the signatures of the karpenter image attestations:
cosign verify-attestation \ --type https://spdx.dev/Document \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ cgr.dev/chainguard/karpenter
This will pull in the signature for the attestation specified by the
--type parameter, which in this case is the SPDX attestation. You should get output that verifies the SBOM attestation signature in cosign’s transparency log:
Verification for cgr.dev/chainguard/karpenter -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates Certificate subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main Certificate issuer URL: https://token.actions.githubusercontent.com GitHub Workflow Trigger: schedule GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696 GitHub Workflow Name: .github/workflows/release.yaml GitHub Workflow Trigger chainguard-images/images GitHub Workflow Ref: refs/heads/main ...
Last updated: 2023-12-06 18:44