This repository contains infrastructure/code that generates, tests and distributes the Official curl docker images available from the following registries:
To pull an image:
> podman pull quay.io/curl/curl:latest
To run an image:
> podman run -it quay.io/curl/curl:latest -V
To use base image:
from quay.io/curl/curl-base:latest
RUN apk add jq
To view curl image signature use sigstore cosign tree
:
> cosign tree ghcr.io/curl/curl-container/curl:master
Images are verified with this public key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwFTRXl79xRiAFa5ZX4aZ7Vkdqmji
5WY0zqc3bd6B08CsNftlYsu2gAqdWm0IlzoQpi2Zi5C437RTg/DgLQ6Bkg==
-----END PUBLIC KEY-----
Verify image using cosign.pub public key using sigstore cosign verify
:
> cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl:master
If you have problems, questions, ideas or suggestions, please raise an issue or contact curl-container team or Jim Fuller directly.
The following images are available via github packages.
Master branch built regularly:
A set of special case images built regularly:
Platform specific dev images built daily:
To use any of these development images;
> podman run -it -v /Users/exampleuser/src/curl:/src/curl ghcr.io/curl/curl-container/curl-dev-debian:master zsh
> ./buildconf
> ./configure
> make
Note- dev images are not specifically scanned for vulnerabilities and we currently pin to latest which always has vulns ... use at your own risk. Perhaps we could consider pinning to a later 'vintage'.
Either of the following are required to use images:
The following are required to build or release images:
Curl images roughly match curl own release schedule, though we may release multiple versions of the same curl version. In that instance we append a number (ex. 8.1.2-1) though do not rev the version number used in registries.
The release process is as follows: