Verify signatures for signed Kong Mesh images
Starting with Kong Mesh 2.7.4, Docker container images are now signed using cosign
with signatures published to a Docker Hub repository.
This guide provides steps to verify signatures for signed Kong Mesh Docker container images with an example used to verify an image leveraging optional annotations for increased trust.
Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to sign images, which is why many of these details are GitHub-related.
Prerequisites
-
Cosign
is installed -
regctl
is installed -
Collect the necessary image details.
-
The GitHub owner is case-sensitive (
Kong/kong-mesh
vskong/kong-mesh
)
Example with kong/kuma-cp
The Kong Mesh image signature can be verified using cosign
:
-
Set the
COSIGN_REPOSITORY
environment variable:export COSIGN_REPOSITORY=kong/notary
-
Parse the image manifest using
regctl
IMAGE_DIGEST=$(regctl manifest digest kong/kuma-cp:2.9.2)
-
Run the
cosign verify ...
command:cosign verify \ kong/kuma-cp:2.9.2@${IMAGE_DIGEST} \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='https://github.com/Kong/kong-mesh/.github/workflows/kuma-_build_publish.yaml' \ -a repo='Kong/kong-mesh' \ -a workflow='build-test-distribute'