Verify signatures for signed Kong Gateway images
Kong Gateway Docker container images are signed using Cosign,
with signatures published to the Docker Hub repository kong/notary
.
Because Kong uses Github Actions to build and release, Kong also uses Github’s OIDC identity to sign images.
You can verify these signatures using the cosign verify
command.
Prerequisites
Cosign
Kong Gateway Docker container images are signed using Cosign, which is a tool that lets you sign images and verify image signatures.
-
Install Cosign by following the installation instructions for your system.
-
Set the
COSIGN_REPOSITORY
environment variable on your system:export COSIGN_REPOSITORY=kong/notary
Gather the digest information
Parse the manifest digest for the image using regctl
, substituting the Kong Gateway Enterprise image you need to verify:
regctl manifest digest kong/kong-gateway:3.10.0.0
The command will output a SHA-256
digest:
sha256:ad58cd7175a0571b1e7c226f88ade0164e5fd50b12f4da8d373e0acc82547495
Verify image signature
Run the cosign verify
command, substituting the SHA-256
digest and image name from the previous step:
cosign verify \
'kong/kong-gateway:3.10.0.0@sha256:ad58cd7175a0571b1e7c226f88ade0164e5fd50b12f4da8d373e0acc82547495' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/kong-ee/.github/workflows/release.yml' \
-a repo='Kong/kong-ee' \
-a workflow='Package & Release'
Make sure that you’ve set the COSIGN_REPOSITORY
in the prerequisites, or Cosign won’t be able to find the image signature.
If verification is successful, the response will contain a summary of the checks that were performed:
Verification for index.docker.io/kong/kong-gateway@sha256:cb838b4090cfbfb9186be6e95fbeceabc8fdbf604400eaaca1561b1f510128eb --
The following checks were performed on each of these signatures:
- The specified annotations were verified.
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates