TL;DR: Chainguard’s Custom Assembly feature will enter general availability on July 15th. With the GA launch, every Chainguard Container will be customizable via automated tooling. This tooling grants customers programmatic access to the Chainguard Factory to extend their container images without relying on multi-stage docker builds.
As a part of this change, the default APK repositories for all Chainguard Containers will be updated to include a customer-specific endpoint, virtualapk.cgr.dev/<uid>/<digest>/chainguard instead of the shared packages.wolfi.dev/os endpoint. This new endpoint will give customers the ability to access the public packages in Wolfi. This repository is unrelated to the new Private APK Repository feature we recently announced.
To prepare for this change, you may need to update your firewall settings according to our network requirements for this new host name.
Announcement date | Planned Change date |
Jun 12, 2025 | Jul 15, 2025 |
What is changing?
Every Chainguard Container delivered to your registry will be customizable with Custom Assembly – meaning every image in the console will now have a “Customize Image” button.
Every Chainguard Container delivered to your registry will use an updated default APK package repository endpoints – which means that if you use ‘apk add’ in dockerfiles with a Chainguard image, packages will be added from
virtualapk.cgr.dev/<uid>/<digest>/chainguard or from virtualapk.cgr.dev/<uid>/<digest>/extra-packages,where<uid>is the existing unique identifier used to identify your organization for automation and integrations, and<digest>is the hash of the image from which your variant was rebuilt.<digest>is optional, and can be omitted when usingvirtualapk.cgr.dev/.The signing keys for the new APK package repository endpoints are rotated every 90 days, so some ‘apk’ commands will fail when used on images that are more than 90 days old.
These changes do not impact or relate to your Private APK Repository. No authentication is required to access the updated default APK package repository endpoints; this virtual APK repository proxies requests to the shared apk.cgr.dev repository.
Why is Chainguard making this change?
We want every customer to be able to take advantage of the Chainguard Factory, which is why we are making Custom Assembly available to every customer and applicable to every image.
We want to ensure that customers adding Chainguard APKs in their dockerfiles have a secure and supported experience. Moving to customer-specific APK repository endpoints gives Chainguard visibility into package utilization, and makes it possible to proactively notify customers of significant changes to Wolfi packages. For example, if we plan to remove an insecure or unsupported package from Wolfi, we can notify customers using that package in advance.
This new endpoint will give customers the ability to access the public packages in Wolfi for customizable images.
How will this affect me?
We do not expect this change to impact how you interact with Chainguard Containers in any way. This change will go live broadly when Custom Assembly moves to GA on July 15th.
Every image will be customizable with Custom Assembly and that every image will use a new default endpoint for adding packages.
Some ‘apk add’ commands on images older than 90 days old will fail due to key rotation. Please use up to date images if this occurs.
If you mirror Chainguard APK repositories within your organization, we recommend you mirror against the new endpoints.
***Note: If you are already using Custom Assembly in Beta, you will notice the new default package repo sooner than July 15th ***
What do I need to do?
Update your network settings to ensure that the DNS hostnames, associated ports, and protocols for the new APK hostname (virtualapk.cgr.dev) are allowed through your firewalls and proxies.
If you mirror Chainguard APK repositories within your organization, we recommend you mirror against the new endpoints (virtualapk.cgr.dev/<uid>/chainguard and virtualapk.cgr.dev/<uid>/extra-packages).
Need help or have questions?
We're here to help - visit our support portal at support.chainguard.dev.
Your friends at Chainguard
Comments
0 comments
Article is closed for comments.