Verify signatures for signed Kong Gateway images

Uses: Kong Gateway
Related Documentation
Tags
Minimum Version
Kong Gateway - 3.5
TL;DR

Kong Gateway Docker container images are signed using Cosign, with signatures published to the Docker Hub repository kong/notary.

Because Kong uses Github Actions to build and release, Kong also uses Github’s OIDC identity to sign images. You can verify these signatures using the cosign verify command.

Prerequisites

Kong Gateway Docker container images are signed using Cosign, which is a tool that lets you sign images and verify image signatures.

  1. Install Cosign by following the installation instructions for your system.

  2. Set the COSIGN_REPOSITORY environment variable on your system:

     export COSIGN_REPOSITORY=kong/notary
    

regctl is a Docker and OCI registry client. You will need regctl to gather information about Docker images.

Install regctl by following the installation instructions for your system.

Gather the digest information

Parse the manifest digest for the image using regctl, substituting the Kong Gateway Enterprise image you need to verify:

regctl manifest digest kong/kong-gateway:3.10.0.0

The command will output a SHA-256 digest:

sha256:ad58cd7175a0571b1e7c226f88ade0164e5fd50b12f4da8d373e0acc82547495

Verify image signature

Run the cosign verify command, substituting the SHA-256 digest and image name from the previous step:

cosign verify \
  'kong/kong-gateway:3.10.0.0@sha256:ad58cd7175a0571b1e7c226f88ade0164e5fd50b12f4da8d373e0acc82547495' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
  --certificate-identity-regexp='https://github.com/Kong/kong-ee/.github/workflows/release.yml' \
  -a repo='Kong/kong-ee' \
  -a workflow='Package & Release'

Make sure that you’ve set the COSIGN_REPOSITORY in the prerequisites, or Cosign won’t be able to find the image signature.

If verification is successful, the response will contain a summary of the checks that were performed:

Verification for index.docker.io/kong/kong-gateway@sha256:cb838b4090cfbfb9186be6e95fbeceabc8fdbf604400eaaca1561b1f510128eb --
The following checks were performed on each of these signatures:
  - The specified annotations were verified.
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!