Verifying build provenance for signed Inso CLI binaries

Kong produces build provenance for Inso CLI binary artifacts, which can be verified using cosign or slsa-verifier.

This guide provides steps to verify build provenance for signed Inso CLI binary artifacts in two different ways:

• A minimal example, used to verify an binary artifacts without leveraging any annotations
• A complete example, leveraging optional annotations for increased trust

For the minimal example, you only need a compressed binary file(s) and provenance file.

For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.

For both examples, you need to:

• Ensure slsa-verifier is installed.

• Download Inso CLI binaries with the file pattern inso-*.{pkg,tar.xz,zip}

• Download Inso CLI binary provenance attestation with the pattern inso-provenance.intoto.jsonl

The GitHub owner is case-sensitive (Kong/insomnia vs kong/insomnia).

Run the slsa-verifier verify-artifact command:

slsa-verifier verify-artifact \
   --print-provenance \
   --provenance-path '$PROVENANCE_FILE' \
   --source-uri 'github.com/Kong/$REPO' \
   $BINARY_FILES

The command will print “Verified SLSA provenance” if successful:

...
PASSED: Verified SLSA provenance

Run the slsa-verifier verify-artifact command:

slsa-verifier verify-artifact \
   --print-provenance \
   --provenance-path '$PROVENANCE_FILE' \
   --source-uri 'github.com/Kong/$REPO' \
   --build-workflow-input 'version=$VERSION' \
   $BINARY_FILES