Verify build provenance for signed Kong Mesh images

Uses: Kong Mesh

Prerequisites

Cosign / slsa-verifier is installed
regctl is installed
Collect the necessary image details.
The GitHub owner is case-sensitive (Kong/kong-mesh vs kong/kong-mesh).

Image provenance example with kong/kuma-cp

Kong Mesh image provenance can be verified using cosign or slsa-verifier:

Set the COSIGN_REPOSITORY environment variable:
```
export COSIGN_REPOSITORY=kong/notary
```

Parse the image manifest using regctl:

export IMAGE_DIGEST=$(regctl manifest digest kong/kuma-cp:2.10.1)

Run the cosign verify-attestation ... command:

cosign verify-attestation \
   kong/kuma-cp:2.10.1@$IMAGE_DIGEST \
   --type='slsaprovenance' \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
   --certificate-github-workflow-repository='Kong/kong-mesh' \
   --certificate-github-workflow-name='build-test-distribute' \
   --certificate-github-workflow-trigger='push'

Parse the image manifest using regctl

export IMAGE_DIGEST=$(regctl manifest digest kong/kuma-cp:2.10.1)

Run the slsa-verifier verify-image ... command:

slsa-verifier verify-image \
   kong/kuma-cp:2.10.1@$IMAGE_DIGEST \
   --print-provenance \
   --provenance-repository 'kong/notary' \
   --source-uri 'github.com/Kong/kong-mesh' \
   --source-tag '2.10.1'

Verify build provenance for signed Kong Mesh images

Prerequisites

Image provenance example with kong/kuma-cp

Help us make these docs great!

Still need help