Home / Kong Mesh

Edit this Page Edit

Report an Issue Report

Verify build provenance for Kong Mesh binaries

Uses: Kong Mesh

Related Documentation

All Mesh Documentation

Incompatible with

konnect

Tags

#slsa #provenance #binaries #supply-chain #security

Related Resources

Verify signatures for signed Kong Mesh images

Verify build provenance for signed Kong Mesh images

Software Bill of Materials

Kong Mesh produces build provenance for binary artifacts, which can be verified using slsa-verifier with attestations published to a Docker Hub repository.

This guide provides steps to verify build provenance for signed Kong Mesh binary artifacts with an example leveraging optional annotations for increased trust.

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.

Prerequisites

slsa-verifier is installed.
Download security assets for the required version of Kong Mesh binaries
Extract the downloaded security-assets.tar.gz to access the provenance file kong-mesh.intoto.jsonl
```
 tar -xvzf security-assets.tar.gz
```
Download compressed binaries for the required version of Kong Mesh
The GitHub owner is case-sensitive (Kong/kong-mesh vs kong/kong-mesh).

Verify build provenance

Change to directory where the security-assets.tar.gz and compressed binaries are downloaded

Run the slsa-verifier verify-artifact ... command:

slsa-verifier verify-artifact \
   --print-provenance \
   --provenance-path 'kong-mesh.intoto.jsonl' \
   --source-uri 'github.com/Kong/kong-mesh' \
   --source-tag '2.10.1' \
   kong-mesh-2.10.1-*-*.tar.gz

Something wrong?

Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!

Contribute

Still need help

Ask in our Forum

Contact Support