Verify build provenance for signed Kong Mesh images
Available with Kong Gateway Enterprise subscription - Contact Sales

Starting with 2.8.0, Kong Mesh produces build provenance for Docker container images, which can be verified using cosign / slsa-verifier with attestations published to a Docker Hub repository.

This guide provides steps to verify build provenance for signed Kong Mesh Docker container images with an example to verify an image provenance leveraging any optional annotations for increased trust.

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for container images, which is why many of these details are GitHub-related.

Prerequisites

Cosign / slsa-verifier is installed
regctl is installed
Collect the necessary image details.
The GitHub owner is case-sensitive (Kong/kong-mesh vs kong/kong-mesh).

Example with kong/kuma-cp

Kong Mesh image provenance can be verified using cosign or slsa-verifier:

cosign

slsa-verifier

Set the COSIGN_REPOSITORY environment variable:
```
export COSIGN_REPOSITORY=kong/notary
```

Parse the image manifest using regctl:

export IMAGE_DIGEST=$(regctl manifest digest kong/kuma-cp:2.10.1)

Run the cosign verify-attestation ... command:

cosign verify-attestation \
   kong/kuma-cp:2.10.1@${IMAGE_DIGEST} \
   --type='slsaprovenance' \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
   --certificate-github-workflow-repository='Kong/kong-mesh' \
   --certificate-github-workflow-name='build-test-distribute' \
   --certificate-github-workflow-trigger='push'

Thank you for your feedback.

Was this page useful?