Provenance Information for sdk Images
All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within.
Verifying Image Signatures
The sdk Chainguard Images are signed using Sigstore, and you can check the included signatures using
The following command requires cosign and jq to be installed on your machine. It will pull detailed information about all signatures found for the provided image.
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sdk | jq
By default, this command will fetch signatures for the
latest tag. You can also specify the tag you want to fetch signatures for.
All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) generated at build-time. The SBOM can be downloaded using the cosign tool:
cosign download sbom --platform linux/amd64 cgr.dev/chainguard/sdk | jq
By default, this command will fetch the SBOM assigned to the
latest tag. You can also specify the tag you want to fetch the SBOM from.