Verify signatures for signed Inso CLI Docker images

Inso CLI Docker container images are signed using cosign with signatures published to a Docker Hub repository.

This guide provides steps to verify signatures for signed Inso CLI Docker container images in two different ways:

• A minimal example, used to verify an image without leveraging any annotations
• A complete example, leveraging optional annotations for increased trust

For the minimal example, you only need Docker image details, a GitHub repo name, and a GitHub workflow filename.

For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you want to verify:

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to sign images, which is why many of these details are GitHub-related.

For both examples, you need to:

• Ensure cosign is installed.

• Collect the necessary image details.

• Set the COSIGN_REPOSITORY environment variable:

   export COSIGN_REPOSITORY=kong/notary
  

• Parse the image manifest digest

   IMAGE_DIGEST=$(regctl manifest digest kong/inso:$TAG)
  

GitHub owner is case-sensitive (Kong/insomnia vs kong/insomnia).

Run the cosign verify command:

cosign verify \
   kong/inso:$TAG@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/$REPO/.github/workflows/$WORKFLOW_FILENAME'

Run the cosign verify command:

cosign verify \
   kong/inso:$TAG@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/$REPO/.github/workflows/$WORKFLOW_FILENAME' \
   -a repo='Kong/$REPO' \
   -a workflow='$WORKFLOW_NAME'