stable-20260710: LTS
Variants promoted
| Variant | Tag | Digest |
|---|---|---|
bluefin-lts |
:stable |
sha256:5c9c8e050a0c |
bluefin-lts-nvidia |
:stable |
sha256:88c8df51892c |
bluefin-lts and bluefin-lts-nvidia use the Fedora CoreOS stable kernel. The Kernel (LTS) version above applies to both.
Key components
| Component | Version | Change |
|---|---|---|
| Kernel (LTS) | 7.0.11-200 |
|
| GNOME Shell | 50.0-3.el10 |
|
| Flatpak | 1.18.0-1.el10 |
|
| bootc | 1.16.2-1.el10 |
no package changes since the previous release. 1497 packages total.
Desktop Screenshot
Captured from bluefin-lts:testing during automated e2e validation — testsuite
Supply chain verification
Supply chain
This image is signed, attested, and ships a full SPDX-JSON SBOM.
Every artifact below is verifiable without trusting this release page.
Tools required — install via Homebrew or see links in each section:
brew install cosign oras slsa-verifier1 — Verify the image signature
cosign (Sigstore) verifies the keyless
OIDC signature created by GitHub Actions at build time.
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin-lts|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/bluefin-lts@sha256:5c9c8e050a0c9486f097bbfcbdd1517425814aca56c227bcd5b28d133a44ecc9A valid response lists the certificate subject and OIDC issuer. Any tampered
image will produce a verification error.
2 — Fetch and inspect the SBOM
The SBOM (SPDX 2.3 JSON) is attached to the image as an
OCI referrer using
ORAS (CNCF graduated project).
# Discover the attached SBOM referrer
oras discover \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/bluefin-lts@sha256:5c9c8e050a0c9486f097bbfcbdd1517425814aca56c227bcd5b28d133a44ecc9
# Pull the SBOM to disk (replace SBOM_DIGEST with the digest from above)
oras pull \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/bluefin-lts@<SBOM_DIGEST>The SBOM is also attached to this release as
bluefin-lts.spdx.json.
3 — Verify the SBOM attestation
The SBOM is also stored as a signed
GitHub SBOM attestation
in the Sigstore transparency log.
cosign verify-attestation \
--type https://spdx.dev/Document \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin-lts|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/bluefin-lts@sha256:5c9c8e050a0c9486f097bbfcbdd1517425814aca56c227bcd5b28d133a44ecc9 \
| jq -r '.payload | @base64d | fromjson | .predicate.name'4 — Verify SLSA Build L2 provenance
slsa-verifier (OpenSSF)
checks that this image was built by the expected workflow on the expected
source repository — not on a developer's laptop or a forked CI runner.
slsa-verifier verify-image \
ghcr.io/projectbluefin/bluefin-lts@sha256:5c9c8e050a0c9486f097bbfcbdd1517425814aca56c227bcd5b28d133a44ecc9 \
--source-uri 'github.com/projectbluefin/bluefin-lts' \
--source-versioned-tag 'stable-20260710'You can also inspect the raw provenance:
cosign verify-attestation \
--type slsaprovenance1 \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin-lts|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/bluefin-lts@sha256:5c9c8e050a0c9486f097bbfcbdd1517425814aca56c227bcd5b28d133a44ecc9 \
| jq -r '.payload | @base64d | fromjson | .predicate'Full changelog and verification guide → https://docs.projectbluefin.io/changelogs
Full changelog → https://docs.projectbluefin.io/changelogs

