Provenance Information for sdk Images

All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within.

Verifying Image Signatures

The sdk Chainguard Images are signed using Sigstore, and you can check the included signatures using cosign.

The following command requires cosign and jq to be installed on your machine. It will pull detailed information about all signatures found for the provided image.

cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/sdk | jq

By default, this command will fetch signatures for the latest tag. You can also specify the tag you want to fetch signatures for.

Verifying SBOMs

All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) generated at build-time. The SBOM can be downloaded using the cosign tool:

cosign download sbom --platform linux/amd64 cgr.dev/chainguard/sdk | jq

By default, this command will fetch the SBOM assigned to the latest tag. You can also specify the tag you want to fetch the SBOM from.

← Provenance Information for rust Images
Provenance Information for secrets-store-csi-driver Images →