Supply chain security - Chronosphere Documentation

Cosign keys
GPG keys
SBOM and other reports

Part of security is ensuring that the software supply chain is as secure as possible. As part of secure development practices, Chronosphere provides the following keys you can use to verify the signatures of Chronosphere Telemetry Pipeline software.

Cosign keys

Cosign is a tool to sign, verify, and store software artifacts in an OCI (Open Container Initiative) registry. You can use a tool like the Kubernetes Policy Controller to verify supply chain metadata from Cosign. The Chronosphere Telemetry Pipeline public Cosign key is available here.

GPG keys

GPG (GNU privacy guard) is an open-source implementation of the OpenPGP protocol. You can verify the signature of Telemetry Pipeline packages to ensure that the signature is valid. Use the following GPG key to verify Telemetry Pipeline software packages:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGI8PcIBEADZ0fizLscKGjhrg0tC5IZUTasN3uJIqNtAIRl48Zr26UYPsnjE
TIXiANnruf0OzEm2f9KsfVETubawAV/b1gMGcv7vYVm6IxDvWQpUb01ooPvzqH6d
Gn2Gq7LTq5t2+/1MZii0ZNkaoKsB6GiGO1gJE0flGvCASE3m0wPbZv+Q5sJ8wNcu
uL/lDurM8twKJAQVBPaXadY1dxl0UDOF0w+vTtTxFAHh0apNqNYQLXjjc2TcaDdL
MnLg6AUGBZhhgIPECdG6XLxkVGqTMLBhBEtohMtVGznRr5gicIn0jX57ueDiftuc
QOnm/ZEvBuiNAW6PRtvuqW/+PHZ1pVUP1z1rcCWqYJK471I5W11r1BH738arJy1T
kzciHjraum10dDLoB0Ly/NDf/0XFkLS4A009BRxo4N6FRVN8OP6t8zktxAZTuawH
MTpTJD8+lGJju4R/AA+H01m3cixM4ffy1zuwqlH4IWRlkysRwlHtxfu+9PYA7GjX
d+uQJPKYYAaG7LloTIxcQ01yZ63FB97CLAd05Bmq3eQpQw/9iP8OP6Ska827Gjfg
0pgG4HEOk2ykyCFeSj8vW4frzhhas/YuDvKhxXZf8jaKJFAbxuHW4rBv5OUUckCw
PQDEiIsB465eIIaSrjjD9yhZKB9BBFAPHCvptbjvhvQ/x0MxSEcVOv81LQARAQAB
tDRDYWx5cHRpYSBSZWxlYXNlcyA8ZW50ZXJwcmlzZS1yZWxlYXNlc0BjYWx5cHRp
YS5jb20+iQJUBBMBCAA+FiEECKp3AN5X5P1iQ9xRuOWmBtZ6eVIFAmI8PcICGwMF
CQeGH1MFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQuOWmBtZ6eVIC1BAAjsPs
nUz4OxS8JrLho68hNa+4xaWrlXqVt47MfHbOl0RplH0iKa/E47nRYJ10QdGaPKZG
60prudoS7kfrD9qrONcuJPYa1XeB6fYs1K3yaDcEbTGCtJtICChrBvLkfwK0CcIF
H4NzFLaSJOJLDtC0gFW6A7kWzosjK7WJ5fwr/JWwND62usTwrCCHHRX/u6ecI6PT
RakzUl3SVhAmEstoiX/X7wZw6PF/hNqV7T9CtbsVy8DpCGamCccCrrDHb3WZpFpR
cb4pxBIeXtP5dzmK0RKRuaKQtcfx7bYuqpNB89fzPkaBoER0VLuAvY3ml336WJn6
WG9lyJI/N97bXWe/dYqo/xb1isVWHT0mYXP7a3M3wcKMeyW0ZYQ8m+jJXnhlG45h
Vqwub+UL0ymi6JuopQH6kDVMGjFoG1oU14RJMABbvLoDBPtdP03No6jxCkqVHZTL
OPV5hNbYX0fevHIKT6L0Wj42uExIb27M23c4iaDgAboewNF3vCVw9McuWTrp+5bL
HCIjYhPSN7Uu/62+KlGWI1d8MeigWyHOX9QisVrm7e/eTvGkciVvQAs2S1v7yqGc
DgBTscOR0ie7XBDy57JrLMrt540Lfc1WaarfAJVqEg+XeU9zwKhw3IYiMULi8+5t
doPOndkv/rZNQnNdoj7DSx5zBHhpGL/rDA2Ovf+5Ag0EYjw9wgEQALY1aY+G1AOe
LpB/3Ptdw2vpqEViJx47FrEoMeIQunKJ2nxQ5Zxxyy8qnbYmpD399wteN8u++kPw
uxeNhEPVjJd/hZ+aKiSdIIAQw9LabAU9zGkyTcipRU/FpfGb97PShnEKn5y8l+5J
VOifBP2pfazwoFEZ38rkhMg9qnn9yU+WffzNvLAK9QiYywMSgwkQyEoK5DOLusLr
y0b5CU7CyE/WCo1NWI6vKEMb20D/bFpYbLzTP80h5SaUY7jrl4YVx6pkDnbuv0cF
5XRROGZWFORx0jqSFI3r5m+2Bfua/pMrBSIrqy8n9nB0T0Q4c/6JJugnIk0ujgpz
ZiHFox6fo5mWA5kbrb9UkdOoCCC6gXWcwcRdLy6DnkRROFdOTB2j3wph6pzNVfJx
Er97yymS1FrwxUDVgWNQm6pIaJPnF1ttVAs7ofHPSs9jyA0jnFlEhw9Zsu+jhUBS
BQYjqb/Xma+YegZHK9lcOLpPHxI9mJnWKYbmaz7fXL4aRoYVscKDAvpByxphRoVi
+AB6P7I/dkk/cj6W6kDAbr5f3htUFRYl7I4CoC/GaDxTFU7DyiWpeqyUZ83074Di
zplgCBJ5D7A9+6ZdppfidX4jBbrg1mNihHgMfnZ1W2OQkRli+2BnA8x3HxfFZo10
Ay9Uz6LwLyc9SoziOeupddl5YBlvdVnhABEBAAGJAjwEGAEIACYWIQQIqncA3lfk
/WJD3FG45aYG1np5UgUCYjw9wgIbDAUJB4YfUwAKCRC45aYG1np5UglyD/9Xs1ZW
6vNbY4jvQkLoboOE6QMRM9rmsRxq8mHoTrcXS8nlh/4TaUSn/IX8QFNel4PKT7bo
TYfds5xONC59Nw7LJUs6VPdg8I6L3w7WE94uAweLVa3Dr5/mKJ5khK63XBhywGK4
DO4o3RHWdbgfHBo3dOT9C3TYJSc/O2IQEPINQkDYz4MnUOQvZbPU34GkOVCPK73b
m/Kw9mRADcwuLKP7hN1JH4RZfGCr5TgaYQABNa/k/wG63QND9+20nUhbUFvCQqnL
t3FPcJYkArbSigivmrbwNvlhzmAuS0m1iutVhlAtgBw3DaF8VAaf6pYQBNKk804W
XzqjH2dys8ZEALDFwW1y4J91MjM24ziHXrAY3/cnwN530QF/HLeE+lqeIXpm5Hi1
BdD26CXrRRrtfTjAHG/mZwkA7mA6GR7cpQWJ4d1gorKj3ofTOKcakIoD1yk/x4X1
nN2gI7le7dV0YuzLncGh51bnCmBSYbnoD+vZ88LbB5IjOZRYYwSOLyyCFfwVzLDG
eCPl42gf2624An19rUlCMoBom0CFblN8tlmWu7FSgD3zd3u7cAG5ktOiLtad98xB
PmdXROjwdDdvPiBiC36Wf6qhshQKJ2OEK/x0He3Vd6vXQyV8SFIAukv9bWZEbhFr
nnZ6mGB2zREpsL/HoaG4no46tHvWfhanTEGEoA==
=33Bk
-----END PGP PUBLIC KEY BLOCK-----

When you verify the Telemetry Pipeline public GPG key, the information output to your terminal should match this key fingerprint:

pub   rsa4096 2022-03-24 [SC] [expires: 2026-03-24]
      08AA 7700 DE57 E4FD 6243  DC51 B8E5 A606 D67A 7952
uid                      Calyptia Releases <enterprise-releases@calyptia.com>
sub   rsa4096 2022-03-24 [E] [expires: 2026-03-24]

SBOM and other reports

Software bill of materials (SBOMs) are generated for each release, along with Common Vulnerabilities and Exposures (CVE) reports at the time of release. See the Telemetry Pipeline releases page for a list of assets, which contain the SBOM and CVE reports (at time of release) for all components.

Chronosphere Telemetry Pipeline architecture

Telemetry Pipeline release notes

⌘I