Verify Signatures for Signed Kong Images
Starting with Kong Gateway Enterprise 3.5.0.2, Docker container images are now signed using cosign
with signatures published to a Docker Hub repository.
This guide provides steps to verify signatures for signed Kong Gateway Enterprise Docker container images in two different ways:
- A minimal example, used to verify an image without leveraging any annotations
- A complete example, leveraging optional annotations for increased trust
For the minimal example, you only need Docker details, a GitHub repo name, and a GitHub workflow filename.
For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:
Shorthand | Description | Example Value |
---|---|---|
<repo> | Github repository | kong-ee |
<workflow filename> | Github workflow filename | release.yml |
<workflow name> | Github workflow name | Package & Release |
Because Kong uses Github Actions to build and release, Kong also uses Github’s OIDC identity to sign images, which is why many of these details are Github-related.
Examples
Prerequisites
For both examples, you need to:
Ensure
cosign
is installed.Collect the necessary image details.
Set the
COSIGN_REPOSITORY
environment variable:export COSIGN_REPOSITORY=kong/notary
Github owner is case-sensitive (
Kong/kong-ee
vskong/kong-ee
).
Minimal example
Run the cosign verify ...
command:
cosign verify \
<image>:<tag>@sha256:<digest> \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>'
Here’s the same example using sample values instead of placeholders:
cosign verify \
'kong/kong-gateway:3.6.0.0-ubuntu@sha256:2f4d417efee8b4c26649d8171dd0d26e0ca16213ba37b7a6b807c98a4fd413e8' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/kong-ee/.github/workflows/release.yml'
The command will exit with 0
when the cosign
verification is complete:
...
echo $?
0
Complete example
cosign verify \
<image>:<tag>@sha256:<digest> \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>' \
-a repo='Kong/<repo>' \
-a workflow='<workflow name>'
Here’s the same example using sample values instead of placeholders:
cosign verify \
'kong/kong-gateway:3.6.0.0-ubuntu@sha256:2f4d417efee8b4c26649d8171dd0d26e0ca16213ba37b7a6b807c98a4fd413e8' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/kong-ee/.github/workflows/release.yml' \
-a repo='Kong/kong-ee' \
-a workflow='Package & Release'