provider-terraform
By upboundAvailability
Languages
Support
Security & Maintenance
Source Code
Notice something off about this package? Help us keep the marketplace safe and trustworthy by reporting inappropriate content or behavior.
Report this packageOverview
Official Upbound packages contain verifiable signatures, attestations, and SBOMs (software bill of materials), features that enable users to confirm the origin of each image build and that its contents have not changed or been tampered with.
You'll need cosign in order to download and verify image attestations and signatures.
Registry and tags for provider-terraform image
Attestations are provided per image build, so you'll need to specify the correct tag or digest and registry when pulling attestations from an image with cosign.
The commands listed on this page are tailored for the specific version of the image you are currently browsing.
Verifying provider-terraform signatures
The provider-terraform images are signed using Sigstore, and you can check the included signatures using cosign.
The cosign verify command will pull detailed information about all signatures found for the provided image.
cosign verify xpkg.upbound.io/upbound/provider-terraform@sha256:a732f69870ab3a1f2afcf5c017aa91617fe063a22504b70c0dd571c4a4587660 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/upbound/upbound-official-build/.github/workflows/supplychain.yml@refs/heads/mainVerifying provider-terraform image attestations
You can use the cosign verify-attestation command to check the SBOM attestation of the image:
cosign verify-attestation xpkg.upbound.io/upbound/provider-terraform@sha256:a732f69870ab3a1f2afcf5c017aa91617fe063a22504b70c0dd571c4a4587660 \
--type spdxjson \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/upbound/upbound-official-build/.github/workflows/supplychain.yml@refs/heads/mainSBOMs are produced in the SPDX format, as indicated by --type spdxjson. You will receive output that verifies the SBOM attestation signature in cosign's transparency log:
Verification for xpkg.upbound.io/upbound/provider-terraform@sha256:a732f69870ab3a1f2afcf5c017aa91617fe063a22504b70c0dd571c4a4587660 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject: https://github.com/upbound-images/images/.github/workflows/release.yaml@refs/heads/main
Certificate issuer URL: https://token.actions.githubusercontent.com
GitHub Workflow Trigger: schedule
GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696
GitHub Workflow Name: .github/workflows/release.yaml
GitHub Workflow Trigger upbound-images/images
GitHub Workflow Ref: refs/heads/main
...