See all the available artifacts
To verify artifacts you need to have cosign installed. This guide assumes you are using v2.x of cosign. All of the signatures are created using keyless signing.
To verify the signature of the docker image, run the following command. Replace <release_tag> with an available release tag. The value release_tag is a release but without the prefix v (eg. 0.1.0-alpha.3).
VERSION=<release_tag> cosign verify ghcr.io/peak-scale/capsule-argo-addon:${VERSION} \
--certificate-identity-regexp="https://github.com/peak-scale/capsule-argo-addon/.github/workflows/docker-publish.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
To verify the signature of the helm image, run the following command. Replace <release_tag> with an available release tag. The value release_tag is a release but without the prefix v (eg. 0.1.0-alpha.3)
VERSION=<release_tag> cosign verify ghcr.io/peak-scale/charts/capsule-argo-addon:${VERSION} \
--certificate-identity-regexp="https://github.com/peak-scale/capsule-argo-addon/.github/workflows/helm-publish.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
We create and attest the provenance of our builds using the SLSA standard and meets the SLSA Level 3 specification. The attested provenance may be verified using the cosign tool.
Verify the provenance of the docker image. Replace <release_tag> with an available release tag. The value release_tag is a release but without the prefix v (eg. 0.1.0-alpha.3)
cosign verify-attestation --type slsaprovenance \
--certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/peak-scale/capsule-argo-addon:<release_tag> | jq .payload -r | base64 --decode | jqVerify the provenance of the helm image. Replace <release_tag> with an available release tag. The value release_tag is a release but without the prefix v (eg. 0.1.0-alpha.3)
VERSION=<release_tag> cosign verify-attestation --type slsaprovenance \
--certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
"ghcr.io/peak-scale/charts/capsule-argo-addon:${VERSION}" | jq .payload -r | base64 --decode | jqAn SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each release, including pre-releases.
To inspect the SBOM of the docker image, run the following command. Replace <release_tag> with an available release tag:
COSIGN_REPOSITORY=ghcr.io/peak-scale/capsule-argo-addon cosign download sbom ghcr.io/peak-scale/capsule-argo-addon:<release_tag>
To inspect the SBOM of the helm image, run the following command. Replace <release_tag> with an available release tag:
COSIGN_REPOSITORY=ghcr.io/peak-scale/capsule-argo-addon cosign download sbom ghcr.io/peak-scale/charts/capsule-argo-addon:<release_tag>