You are browsing unreleased documentation. See the latest documentation here.
Verify Build Provenance for Kong Mesh Binaries
Starting with 2.8.0, Kong Mesh produces build provenance for binary artifacts, which can be verified using slsa-verifier
with attestations published to a Docker Hub repository.
This guide provides steps to verify build provenance for signed Kong Mesh binary artifacts with an example leveraging optional annotations for increased trust.
Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.
Prerequisites
-
slsa-verifier
is installed. -
Download security assets for the required version of Kong Mesh binaries
-
Extract the downloaded
security-assets.tar.gz
to access the provenance filekong-mesh.intoto.jsonl
tar -xvzf security-assets.tar.gz
-
Download compressed binaries for the required version of Kong Mesh
-
The GitHub owner is case-sensitive (
Kong/kong-mesh
vskong/kong-mesh
).