Releases: unattended-backpack/dove
Release 4173ebc
Release Notes
Full Changelog: see commit history for details.
Container Images
Images have been pushed to the following container registries; some may be private.
Dove
- GHCR:
ghcr.io/unattended-backpack/dove/dove:4173ebc2d8ca365cd335a8904dac4c8dcbc3d361 - DHCR:
unattended/dove:4173ebc2d8ca365cd335a8904dac4c8dcbc3d361 - DOCR:
registry.digitalocean.com/sigil/dove:4173ebc2d8ca365cd335a8904dac4c8dcbc3d361
docker pull ghcr.io/unattended-backpack/dove/dove@sha256:3e603c2c9b69056e5518142084bce6b884e74dd9d6da7e92360b79a94b5c8abb
docker pull unattended/dove@sha256:41d5ec01f986df973da261421b8689e2c23cac6e35ac26f352b796e89a0f7adc
docker pull registry.digitalocean.com/sigil/dove@sha256:3e603c2c9b69056e5518142084bce6b884e74dd9d6da7e92360b79a94b5c8abbAfter pulling from a registry, verify the image ID matches sha256:d685f6216179e74cd1ea0d11059631796bf042bc8c6e844cdcb719d1b055d853 by running docker inspect dove --format='{{.Id}}'.
Native Binaries
Pre-built native binaries are available as release assets:
- Binary tarballs:
*_4173ebc_*.tar.gz. - SHA256 checksums:
checksums.txt.
All binaries include .asc signature files for GPG verification.
GPG Signature Verification
All release artifacts are signed with GPG, including:
image-digests.txt- A human-readable digest list for all images.dove-ghcr-manifest.json- The complete GHCR dove image manifest.dove-dh-manifest.json- The complete Docker Hub dove image manifest.dove-do-manifest.json- The complete DigitalOcean dove image manifest.*.tar.gz- Native binary tarballs.checksums.txt- SHA256 checksums for binaries.
Download the artifacts and their .asc signature files from the release assets below. To verify authenticity, copy this public key LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptUUlOQkdpYjg2Z0JFQUNUUjhpWmF4THpLdTFDdGU0Q3RtaUZPUjNMOFVBMURUNG9rRi9qKzdjNGRiYmJxcVNjCmJVU0ViYjVWVlp0dE5mVWR6MEd4Qk8zb2RjTWM0RHdDOXZ5ZTlrWkJoVlk3bXRqZHFWNE5ENzd1Um9zVzFReFMKZ3NvZ0c1bVVrV3RFUGgzVmEwdEtjalZnWVBScWNiSzJ6RVZjVW5IRm1Uc0U4ekkvb2VtbTZBdzRERzliK2tSWgoxVGFpSlUrMEhtcEw3TzhZRU00dVhhaVpSY21yNVU0R2xHdEhxZ1dFUGszYmZNWnpucEowY3VBRm1TTlBZYkdaCjVieUYyVnJoTE5uNUw3OXk3WVhDd20vZmxyTVNTclNGa0tYUGtDSWNETHVZajZBUnFBazYvUlIvZC93b1NpZ04KZCt5SVI4UU14QlJnVWV5SGNrdUNWaEVITW5WQnFYYWJNLzgvNTlsQ21oL2ZYZk9nd25xeDZhUkQ0azFabWxMSgphTUxtdkVlaGpZcEZoeU5oWUZhU3VoWkpSeEtaNTFKRVZNcDhCMy8yVmN6cENpUTJZdy9vN2libGE4Zm05QXFJCkU4WVNEWU1JYi96V1FCSE5vL0JaQXZ2VE9yVGRHVlVwZEJYK1RoSGE4UXd0Q0dsOEVRUFh1Qk5NbDFXMGhpKzUKeXlCNURBS2l6MVN2dld0YnR3QnFMQ2VSQm9RY3hGZTVRK05lY2s0azExbkJId0tibk9hd0VSNlNSY2JtNGYzcwo2eXBjeGxVZXF0a0RCT1ordVV2OHk2Qm9JNzhNb0I2WnpIdUs4dWsvckM4bWpMa2tqYXdTZVo0MGR4SzdTbGMwCjJoWGxMMkl1UFdUVmdVQ204ZTZHc2VJNUxWcHRPMnNVWE05SUlUUExIdjFBbmlvRUo4MFIrL0xQM1FBUkFRQUIKdERCVWFXMXZkR2g1SUVOc1lXNWplU0FvVTJsbmFXd2djbVZzWldGelpYTXBJRHgwYVcwdFkyeGhibU41TG1WMAphRDZKQWs0RUV3RUtBRGdXSVFTK0lEZ3Bra0xkUTJkZHNkU2RzWktPM25xZkJRVUNhSnZ6cUFJYkF3VUxDUWdICkFnWVZDZ2tJQ3dJRUZnSURBUUllQVFJWGdBQUtDUkNkc1pLTzNucWZCY0p0RC80aSt1cE1rNHpERE5IMjVpb0oKaDI4a3pMYjlhWk41RTN3NnZZc2V4cVdJdk9aNldURWNDRmNCL3BlelJzMlI3RWZmeE5aeG5ETnhtaTNsM3FJNwpFQjIrUlFDYXBINi9HUnpTaG5mdlRiMVR5VGtETDIvREd3ZWhpRHRZcVNsenE2ZlROSXBncDYvZ3ROVUpnaHB0CkxFenkzaXc1QzRlUGJ4Q0QxcWdyRkhmZnh1THJ5cmxqdFdnT3J2Sm5tVEZrNnJHZ3R2T1NGN0puU0Z4NWZmRUMKV0NBQ3RsYXlaMFp6OS9uVXJjd1VNdUlNOGdJRFQxMWVsTUhySWZBU2tZRjRVUHQyZnB4RUJXdGsxS2xkcGlkLwoxdnJwQmplQjhlK1RRNFVacWFwM1VNZmtRbjNCZGRlUHB6cGY1MUV6c1FyRHM4UTQwN1dhMTZ3Q3FQaXJFUW9HClg4MHRiRmQ5UzZnT2diSVNFK3dlcXRjWXNvbm5OVTE5TmNiVklWQWFJalN4THM3ZTQxZFo1c0N0MHZMWENQS3AKL3YyTE9DYjEwam9jU040Z3RONG9iUW1tUldiallIbllQNEhkMjFIcExHcjhjRmhDNmxwRjJPYjVrZEVOQXFkLwoxTlBTTmt0emFRclpvTnNYbnl6ZmVxMjdLTTZubmh6azBLNURmSEJwWFExbWVtdnJDeHp0WFEyTlBPOEJqQzdXCk5uL2VkWmdZME1lVmNMZ01PS3hLWWk4NGRra0Z0Zk5qandSQmVRUzA3cEcvTkRIVTBHVkEwRDhYUk5jdWxnV3AKVDNoMVJnT1NDQkFvcXdVNDhZYTl1U3pYY1JxN1o5SDd4c2ovSDlWaUc2a3VqVFlNaHMwM2RDV2wwdHpLSzRMcQorNmdQTEJRYUxBVGJFKytnTXM4MFVnaXd2TGtDRFFSb20vT29BUkFBNXQ1bGpvWkY3WWYrNXJTV3NHZHc1TlNXCjc0a2I4RUo1V2t6a2VhYmYyaFN1NWdrcFkxTHF3RFVObFgwUWE0LzJOcmh3dTl3VEJGd3hjRUoycmxpWklndUcKUHNoajRYaWcwaUJaU2NZZW1rVFJ5Q0pwV1NQb2VJc3pGNVFVMDNYR1MwdG02Vm1rcGY1d2NTTThKTFZrSElTTApYKyszY1J2MEVSTEVNSGlWRVAvczNFZEZFT1Y2UExnYUdRUkRaOTg3RDlJZFcwQjNSdVVNQitXNHRnRnRXS0xJCmFFY0tWaks1eUtnaDQ5d3U3dEhkaW81RDB5eVFFUnVEY1NmQU9FV3V1UkJ1bmZwdWtCay9LZ0Fha2tLTnJhWGoKRm5DNEVNbE9PT2tnbitnM1NqZVZCemFpZm9ITEsrSERYbHVLZ3BMQjYxNkl3dEZRMzVUbUVuRTdMS1ZTZUczMwo3QVc0TDRoSVZPK0U3TEVHbVl0Q2ZiTUhycDRiN3k4aFNZdlNKSkYzUmU4UnhmNGtEdm1IeFpVVlFqWC90TTA0CnIvc3g1Y3oySVNlOFNRc1JaRjF0MnZXd2NjTXNxNGFCVUh2R2lNbGpNME1ESVU5RlJZOGROTEJKL05uTmZUU3gKNlp6VHRMUmpvTmRHT0I5VkJ5TGNoSHdjK3U5NVo2TkxQcVA2b3BKdXlIWlJKZGl3NzlBV0JweW92bDBqblRTSQpsbk1pTGJWMVBxVXJoS1BxdHhlc01aUEt1dTM1UVQvTnhSZWhDMHVwNDJkdWlxb3NRSU9VemFjbmpzM2o3bTBLCldMS2F2WlJoamxWOXh1bHhGUVNMTnErQ0pvZXJKaW9ZQS9WYnRLR3pFWkRxWk5wbG45Q011NWM0QTVzS1VFNTIKL1J1WGhXM2hDa0V3Q0ExWUZZc0FFUUVBQVlrQ05nUVlBUW9BSUJZaEJMNGdPQ21TUXQxRFoxMngxSjJ4a283ZQplcDhGQlFKb20vT29BaHNNQUFvSkVKMnhrbzdlZXA4RkFJY1AvaTVKMVBKSkFEbzNTRlVBaVU4MnJvcFdIMDRICm5uRm5KdGR3Tjh3UW4xRHAvdHRLc25ENkROaU92YzlCdjNHZU5nUG9FSGlDdG43T1Fnb0VXTXQ0bnZjejl3MHcKZ1lwTlJIMkFXdHM2UWVlZUY3YzBZRXhIZ3FYUGNPMUdCbngvalVxYWNPUmY3NjF5QmxFWWo3QmhwZWIwNkxTYQpwZmw2SFZXY1FOTktvYzQ4UzFselkwa2ZpS1pRMzdNYVNKNHlOaWlycWMyVjQvTUxYVjRYNzJSdm9qem94SWpNCmZjdDNHelhUOGhSZWkyc2dvMTc3S3kxeDJodDNJTzRUaGF0UzZ5K3ErdFR0RGx6RWdrM3cvQi9ESTBqbjgwVmwKaTVNQTNGTmh0N0JhZDJzd21tMGN0Ty8yRUU1aVlBSUxWRWJwcnhVWVo1SGo4bHFDYTVJSStoUGRjQmRGM1pnbQpiZEtOZERzV3FJSXdrTVJ3cE5SQ2JCUU5IaHhzR0tPYXBnYnEzaC9SMDNCWk56eGpkR2E2T0xuemdtdCtoZm05CmJWS2hwQitoaDBKOVEwOTQ2MXpwV1NTd2pzdnorRG9YTXVRa0dGWTdlVXNnMGdLRXY3a3lETHlBQlJCVko1RVYKcmJFVmxucFJGSURIOHJKcnRETTRoOWNqNlpXVGw4RGJ5bTczeEtjbDJIejErRzZtN3AyVmMyVG5oam1XSThzTgpnT0Y4TElrOVBINUhWSTd4WVY5ZWVmNi8xQ25JdGxPRHhpOEdJZGxzcUd6ZzFVUnNIMTR2NnRDaUZCZFg4THUrCjNjd1U3YlF1Q0d0NzM2UVBLdHZ0aDZrR0k3aytnVCtrejZZL09ML3hTVURTL1JicGRNVldYaThEVmllazF6RDcKLytQTzJ6TG85bnhCdTB2eAo9TWgyVQotLS0tLUVORCBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCg==% into a public.asc file and verify the signatures:
# Import GPG public key.
cat public.asc | base64 -d | gpg --import
# Verify digest list.
gpg --verify image-digests.txt.asc image-digests.txt
# Verify image manifests.
gpg --verify dove-ghcr-manifest.json.asc dove-ghcr-manifest.json
gpg --verify dove-dh-manifest.json.asc dove-dh-manifest.json
gpg --verify dove-do-manifest.json.asc dove-do-manifest.json
# Verify binary checksums.
gpg --verify checksums.txt.asc checksums.txt
# Verify binaries.
gpg --verify *.tar.gz.ascValid signatures confirm the artifacts were signed by the maintainer. The manifest signatures provide cryptographic proof of the complete image structure, while binary signatures ensure the authenticity of native executables.
Cosign Verification (Optional)
Images are also signed with cosign using GitHub Actions OIDC for automated verification and build provenance:
# Verify GHCR dove image
cosign verify ghcr.io/unattended-backpack/dove/dove@sha256:3e603c2c9b69056e5518142084bce6b884e74dd9d6da7e92360b79a94b5c8abb \\
--certificate-identity-regexp='^https://github.com/unattended-backpack/.+' \\
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
# Verify Docker Hub dove image
cosign verify unattended/dove@sha256:41d5ec01f986df973da261421b8689e2c23cac6e35ac26f352b796e89a0f7adc \\
--certificate-identity-regexp='^https://github.com/unattended-backpack/.+' \\
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
# Verify DigitalOcean dove image
cosign verify registry.digitalocean.com/sigil/dove@sha256:3e603c2c9b69056e5518142084bce6b884e74dd9d6da7e92360b79a94b5c8abb \\
--certificate-identity-regexp='^https://github.com/unattended-backpack/.+' \\
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
Cosign provides automated verification without manual key management. Signatures prove the images were built by this repository's GitHub Actions workflow and are stored in the Rekor transparency log.
Note: Cosign depends on external infrastructure (GitHub OIDC, Rekor). For maximum trust independence, rely on the GPG-signed manifests as your ultimate root of trust.