Supply Chain Security
Every Bluefin image is signed and attested at build time. You can verify any image before installing it.
Signing paradigms
Bluefin uses two signing methods depending on the stream:
| Paradigm | Streams | Verification |
|---|---|---|
| Keyless (OIDC/Sigstore) | stable, latest, dx, gdx, all Dakota | cosign verify with Rekor transparency log |
| Key-based | lts, lts-hwe and all LTS variants | cosign verify with repo public key |
Verify a keyless image (stable / latest)
cosign verify ghcr.io/projectbluefin/bluefin:stable \
--certificate-identity-regexp="https://github.com/projectbluefin/bluefin/.github/workflows/build.yml" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
Verify an LTS image (key-based)
curl -O https://raw.githubusercontent.com/projectbluefin/bluefin-lts/main/cosign.pub
cosign verify ghcr.io/projectbluefin/bluefin:lts --key cosign.pub
Verify Dakota
cosign verify ghcr.io/projectbluefin/dakota:latest \
--certificate-identity-regexp="https://github.com/projectbluefin/dakota/.github/workflows/build.yml" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
Substitute your specific tag (e.g. stable-20260501) for stable / lts / latest to pin to a known-good release.
SLSA provenance
Keyless streams include SLSA v1 provenance attestations stored alongside the image in GHCR. The Driver Versions page shows per-stream attestation status verified nightly.
Fetch and inspect provenance:
cosign verify-attestation ghcr.io/projectbluefin/bluefin:stable \
--type slsaprovenance1 \
--certificate-identity-regexp="https://github.com/projectbluefin/bluefin/.github/workflows/build.yml" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com | jq -r '.payload' | base64 -d | jq
SBOM
A Syft SPDX JSON SBOM is attached to each image as an OCI attestation. The Images page surfaces key package versions extracted from these SBOMs nightly.
Fetch the SBOM for any image:
# Install oras: https://oras.land
oras discover --artifact-type application/vnd.syft+json ghcr.io/projectbluefin/bluefin:stable
OpenSSF Scorecard
Source repositories are scored weekly by OpenSSF Scorecard. Scores are surfaced on the Projects page.
Toolchain
| Tool | Role |
|---|---|
| cosign | Image signing and attestation verification |
| ORAS | OCI artifact push/pull (SBOMs, provenance) |
| Syft | SBOM generation |
| SLSA | Provenance specification |
| Scorecard | Repository security posture scoring |
These are all part of the CNCF / OpenSSF ecosystem and are highlighted on the Projects page.