You are browsing documentation for an older version. See the latest documentation here.

Verify Signatures for Signed Kong Images

Starting with Kong Gateway Enterprise 3.5.0.2, Docker container images are now signed using cosign with signatures published to a Docker Hub repository.

This guide provides steps to verify signatures for signed Kong Gateway Enterprise Docker container images in two different ways:

  • A minimal example, used to verify an image without leveraging any annotations
  • A complete example, leveraging optional annotations for increased trust

For the minimal example, you only need Docker details, a GitHub repo name, and a GitHub workflow filename.

For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:

ShorthandDescriptionExample Value
<repo>Github repositorykong-ee
<workflow filename>Github workflow filenamerelease.yml
<workflow name>Github workflow namePackage & Release

Because Kong uses Github Actions to build and release, Kong also uses Github’s OIDC identity to sign images, which is why many of these details are Github-related.

Examples

Prerequisites

For both examples, you need to:

  1. Ensure cosign is installed.

  2. Collect the necessary image details.

  3. Set the COSIGN_REPOSITORY environment variable:

    1. export COSIGN_REPOSITORY=kong/notary

Github owner is case-sensitive (Kong/kong-ee vs kong/kong-ee).

Minimal example

Run the cosign verify ... command:

  1. cosign verify \
  2.    <image>:<tag>@sha256:<digest> \
  3.    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
  4.    --certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>'

Here’s the same example using sample values instead of placeholders:

  1. cosign verify \
  2.    'kong/kong-gateway:3.6.0.0-ubuntu@sha256:2f4d417efee8b4c26649d8171dd0d26e0ca16213ba37b7a6b807c98a4fd413e8' \
  3.    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
  4.    --certificate-identity-regexp='https://github.com/Kong/kong-ee/.github/workflows/release.yml'

The command will exit with 0 when the cosign verification is complete:

  1. ...
  2. echo $?
  3. 0

Complete example

  1. cosign verify \
  2.    <image>:<tag>@sha256:<digest> \
  3.    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
  4.    --certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>' \
  5.    -a repo='Kong/<repo>' \
  6.    -a workflow='<workflow name>'

Here’s the same example using sample values instead of placeholders:

  1. cosign verify \
  2.    'kong/kong-gateway:3.6.0.0-ubuntu@sha256:2f4d417efee8b4c26649d8171dd0d26e0ca16213ba37b7a6b807c98a4fd413e8' \
  3.    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
  4.    --certificate-identity-regexp='https://github.com/Kong/kong-ee/.github/workflows/release.yml' \
  5.    -a repo='Kong/kong-ee' \
  6.    -a workflow='Package & Release'