Verifying build provenance for signed Insomnia binaries

Uses: Insomnia

Related Documentation

Related Resources

Kong produces build provenance for Insomnia Application binary artifacts, which can be verified using cosign / slsa-verifier.

This guide provides steps to verify build provenance for signed Insomnia Application binary artifacts in two different ways:

A minimal example, used to verify an binary artifacts without leveraging any annotations
A complete example, leveraging optional annotations for increased trust

For the minimal example, you only need a compressed binary file(s) and provenance file.

For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:

Shorthand	Description	Example Value
`REPO`	GitHub repository	`insomnia`
`VERSION`	Artifact version to download	`9.3.0`
`BINARY_FILES`	Single space separated Insomnia binary files	`Insomnia.Core-9.3.0.{snap,tar.gz,zip,rpm,dmg,deb,exe,AppImage}`
`PROVENANCE_FILE`	Binary provenance file	`inso-provenance.intoto.jsonl`

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.

Prerequisites

For both examples, you need to:

Ensure slsa-verifier is installed.
Download Insomnia Core Application Binaries with the file pattern Insomnia.Core-VERSION.{snap,tar.gz,zip,rpm,dmg,deb,exe,AppImage}
Download Insomnia Binary Provenance Attestation with the pattern insomnia-provenance.intoto.jsonl

The GitHub owner is case-sensitive (Kong/insomnia vs kong/insomnia).

Minimal example

Run the slsa-verifier verify-artifact... command:

slsa-verifier verify-artifact \
   --print-provenance \
   --provenance-path '$PROVENANCE_FILE' \
   --source-uri 'github.com/Kong/$REPO' \
   $BINARY_FILES

Here’s the same example using sample values instead of placeholders:

slsa-verifier verify-artifact \
   --print-provenance \
   --provenance-path 'insomnia-provenance.intoto.jsonl' \
   --source-uri 'github.com/Kong/insomnia' \
   Insomnia.Core-9.3.0.{snap,tar.gz,zip,rpm,dmg,deb,AppImage,exe}

The command will print “Verified SLSA provenance” if successful:

...
PASSED: Verified SLSA provenance

Complete example

Run the slsa-verifier verify-artifact ... command:

slsa-verifier verify-artifact \
   --print-provenance \
   --provenance-path '$PROVENANCE_FILE' \
   --source-uri 'github.com/Kong/$REPO' \
   --build-workflow-input 'version=9.3.0' \
   $BINARY_FILES

Here’s the same example using sample values instead of placeholders:

slsa-verifier verify-artifact \
   --print-provenance \
   --provenance-path 'insomnia-provenance.intoto.jsonl' \
   --source-uri 'github.com/Kong/insomnia' \
   --build-workflow-input 'version=9.3.0' \
   Insomnia.Core-9.3.0.{snap,tar.gz,zip,rpm,dmg,deb,AppImage,exe}

Verifying build provenance for signed Insomnia binaries

Prerequisites

Minimal example

Complete example

Help us make these docs great!

Still need help