Skip to content

Commit

Permalink
fix slsa verifier signature repository for image provenance
Browse files Browse the repository at this point in the history 
Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
  • Loading branch information
@saisatishkarra
saisatishkarra committed Jun 12, 2024
1 parent e73d755 commit 391785b
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
2 changes: 1 addition & 1 deletion app/_src/mesh/features/provenance-verification-binaries.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ For the complete example, you need the same details as the minimal example, as w
| `<workflow name>` | GitHub workflow name | `build-test-distribute` |
| `<workflow trigger>` | Github workflow trigger name | `push` |
| `<version>` | Artifact version to download | `2.7.4` |
| `<binary-files>` | Compressed binary files for the specified version | `kong-mesh-<version>-*-*.tar.gz` |
| `<binary-files>` | Compressed binary files for the specified version | `kong-mesh-2.7.4-*-*.tar.gz` |
| `<provenance-file>` | Binary provenance file | `kong-mesh.intoto.jsonl` |

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub's OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.
Expand Down
4 changes: 4 additions & 0 deletions app/_src/mesh/features/provenance-verification-images.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ Run the `slsa-verifier verify-image ...` command:
slsa-verifier verify-image \
<image>:<tag>@sha256:<manifest_digest> \
--print-provenance \
--provenance-repository 'kong/notary' \
--source-uri 'github.com/Kong/<repo>'
```

Expand All @@ -102,6 +103,7 @@ Here's the same example using sample values instead of placeholders:
slsa-verifier verify-image \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
--print-provenance \
--provenance-repository 'kong/notary' \
--source-uri 'github.com/Kong/kong-mesh'
```

Expand Down Expand Up @@ -151,6 +153,7 @@ slsa-verifier verify-image \
<image>:<tag>@sha256:<manifest_digest> \
--print-provenance \
--source-uri 'github.com/Kong/<repo>' \
--provenance-repository 'kong/notary' \
--source-tag '<version>'
```

Expand All @@ -161,5 +164,6 @@ slsa-verifier verify-image \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
--print-provenance \
--source-uri 'github.com/Kong/kong-mesh' \
--provenance-repository 'kong/notary' \
--source-tag '2.7.4'
```

0 comments on commit 391785b

Please sign in to comment.