This repository contains infrastructure/code that generates, tests and distributes the Official curl docker images available from the following registries:

• quay.io: curl images distributed by Quay.io
• docker.io: curl images distributed by docker.io
• github packages: development curl images

To pull an image:

> podman pull quay.io/curl/curl:latest

To run an image:

> podman run -it quay.io/curl/curl:latest -V

To use base image:

from quay.io/curl/curl-base:latest
RUN apk add jq

• IPv6 is supported, however Docker/Podman do not support out by default. IPv6 must be enabled on network-level within Docker/Podman.

To view curl image signature use sigstore cosign tree:

> cosign tree ghcr.io/curl/curl-container/curl:master

Images are verified with this public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwFTRXl79xRiAFa5ZX4aZ7Vkdqmji
5WY0zqc3bd6B08CsNftlYsu2gAqdWm0IlzoQpi2Zi5C437RTg/DgLQ6Bkg==
-----END PUBLIC KEY-----

Verify image using cosign.pub public key using sigstore cosign verify:

> cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl:master

If you have problems, questions, ideas or suggestions, please raise an issue or contact curl-container team or Jim Fuller directly.

The following images are available via github packages.

Master branch built regularly:

• curl-dev:master - curl-dev master branch
• curl-base:master - curl-base master branch
• curl:master - curl master branch
• curl-multi:master - curl multiarch master branch
• curl-base-multi:master - curl-base multiarch master branch

A set of special case images built regularly:

• curl-exp:master - curl master branch built enabling expiremental features

Platform specific dev images built daily:

• curl-dev:master - alpine based development environment
• curl-dev-debian:master - debian based development environment
• curl-dev-fedora:master - fedora based development environment

To use any of these development images;

> podman run -it -v /Users/exampleuser/src/curl:/src/curl  ghcr.io/curl/curl-container/curl-dev-debian:master zsh
> ./buildconf
> ./configure
> make

Note- dev images are not specifically scanned for vulnerabilities and we currently pin to latest which always has vulns ... use at your own risk. Perhaps we could consider pinning to a later 'vintage'.

Either of the following are required to use images:

• podman
• docker

The following are required to build or release images:

• buildah: used for composing dev/build images
• qemu-user-static: used for building multiarch images

Curl images roughly match curl own release schedule, though we may release multiple versions of the same curl version. In that instance we append a number (ex. 8.1.2-1) though do not rev the version number used in registries.

The release process is as follows:

• create new branch (ex. v8.1.2)
• update VERSION to match curl version
• update CHANGELOG.md
• raise prep PR, review and merge
• create new release with new tag ( ex. 8.1.2 ) based on previously created branch
• new tag will trigger CI for publishing to quay/docker