Docker container images are now signed using cosign with signatures published to a Docker Hub repository.
This guide provides steps to verify signatures for signed Kong Mesh Docker container images with an example used to verify an image leveraging optional annotations for increased trust.
Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to sign images, which is why many of these details are GitHub-related.
Cosign is installed
regctl is installed
Collect the necessary image details
The GitHub owner is case-sensitive (Kong/kong-mesh vs kong/kong-mesh)
kong/kuma-cp
The Kong Mesh image signature can be verified using cosign:
Set the COSIGN_REPOSITORY environment variable:
export COSIGN_REPOSITORY=kong/notary
Parse the image manifest using regctl
IMAGE_DIGEST=$(regctl manifest digest kong/kuma-cp:2.10.1)
Run the cosign verify command:
cosign verify \
kong/kuma-cp:2.10.1@$IMAGE_DIGEST \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/kong-mesh/.github/workflows/kuma-_build_publish.yaml' \
-a repo='Kong/kong-mesh' \
-a workflow='build-test-distribute'