Verify build provenance for signed Kong Gateway images
Use regctl to gather the digest information for the image, then use cosign verify-attestation to verify build provenance.
Prerequisites
Cosign
Kong Gateway Docker container images are signed using Cosign, which is a tool that lets you sign images and verify image signatures.
-
Install Cosign by following the installation instructions for your system.
-
Set the
COSIGN_REPOSITORYenvironment variable on your system:export COSIGN_REPOSITORY=kong/notaryCopied!
Gather the digest information
Parse the manifest digest for the image using regctl, substituting the Kong Gateway Enterprise image you need to verify:
regctl manifest digest kong/kong-gateway:3.10.0.0
The command will output a SHA-256 digest:
sha256:ad58cd7175a0571b1e7c226f88ade0164e5fd50b12f4da8d373e0acc82547495
Verify the build provenance
Run the cosign verify-attestation command, substituting the SHA-256 digest and image name from the previous step:
cosign verify-attestation \
kong/kong-gateway:3.10.0.0@sha256:ad58cd7175a0571b1e7c226f88ade0164e5fd50b12f4da8d373e0acc82547495 \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'
Make sure that you’ve set the COSIGN_REPOSITORY in the prerequisites, or Cosign won’t be able to find the image signature.
If verification is successful, the response will contain a summary of the checks that were performed:
Verification for kong/kong-gateway:3.10.0.0@sha256:ad58cd7175a0571b1e7c226f88ade0164e5fd50b12f4da8d373e0acc82547495 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates