Verify build provenance for signed Kong Mesh images
Starting with 2.8.0, Kong Mesh produces build provenance for Docker container images, which can be verified using cosign / slsa-verifier with attestations published to a Docker Hub repository.
This guide provides steps to verify build provenance for signed Kong Mesh Docker container images with an example to verify an image provenance leveraging any optional annotations for increased trust.
Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for container images, which is why many of these details are GitHub-related.
Prerequisites
-
Cosign / slsa-verifier is installed
-
regctl is installed
-
Collect the necessary image details.
-
The GitHub owner is case-sensitive (Kong/kong-mesh vs kong/kong-mesh).
Example with kong/kuma-cp
Kong Mesh image provenance can be verified using cosign or slsa-verifier:
-
Set the COSIGN_REPOSITORY environment variable:
export COSIGN_REPOSITORY=kong/notary
-
Parse the image manifest using regctl:
export IMAGE_DIGEST=$(regctl manifest digest kong/kuma-cp:2.9.2)
-
Run the cosign verify-attestation ... command:
cosign verify-attestation \
kong/kuma-cp:2.9.2@${IMAGE_DIGEST} \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
--certificate-github-workflow-repository='Kong/kong-mesh' \
--certificate-github-workflow-name='build-test-distribute' \
--certificate-github-workflow-trigger='push'
-
Parse the image manifest using regctl
export IMAGE_DIGEST=$(regctl manifest digest kong/kuma-cp:2.9.2)
-
Run the slsa-verifier verify-image ... command:
slsa-verifier verify-image \
kong/kuma-cp:2.9.2@${IMAGE_DIGEST} \
--print-provenance \
--provenance-repository 'kong/notary' \
--source-uri 'github.com/Kong/kong-mesh' \
--source-tag '2.9.2'
Edit this page
Report an issue