旧バージョンのドキュメントを参照しています。最新のドキュメントはこちらをご参照ください。

Verify Build Provenance for Kong Mesh Binaries

Starting with 2.8.0, Kong Mesh produces build provenance for binary artifacts, which can be verified using slsa-verifier with attestations published to a Docker Hub repository.

This guide provides steps to verify build provenance for signed Kong Mesh binary artifacts with an example leveraging optional annotations for increased trust.

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.

Prerequisites

slsa-verifier is installed.
Download security assets for the required version of Kong Mesh binaries
Extract the downloaded security-assets.tar.gz to access the provenance file kong-mesh.intoto.jsonl
```
 tar -xvzf security-assets.tar.gz
```
Download compressed binaries for the required version of Kong Mesh
The GitHub owner is case-sensitive (Kong/kong-mesh vs kong/kong-mesh).

Example

slsa-verifier

Change to directory where the security-assets.tar.gz and compressed binaries are downloaded

Run the slsa-verifier verify-artifact ... command:

slsa-verifier verify-artifact \
   --print-provenance \
   --provenance-path 'kong-mesh.intoto.jsonl' \
   --source-uri 'github.com/Kong/kong-mesh' \
   --source-tag '2.8.5' \
   kong-mesh-2.8.5-*-*.tar.gz