-
Notifications
You must be signed in to change notification settings - Fork 577
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(slsa/provenance)[SEC-1079]: mesh binary artifact provenance veri…
…fication
- Loading branch information
1 parent
e3dd762
commit a85c321
Showing
1 changed file
with
110 additions
and
0 deletions.
There are no files selected for viewing
110 changes: 110 additions & 0 deletions
110
app/_src/mesh/features/provenance-verification-binaries.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
--- | ||
title: Verify Build Provenance for Kong Mesh Binaries | ||
badge: enterprise | ||
--- | ||
|
||
Starting with {{site.mesh_product_name}} 2.7.0, Kong Mesh produces build provenance for binary artifacts, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository. | ||
Check failure on line 6 in app/_src/mesh/features/provenance-verification-binaries.md GitHub Actions / Vale
|
||
|
||
This guide provides steps to verify build provenance for signed {{site.mesh_product_name}} binary artifacts in two different ways: | ||
|
||
* A minimal example, used to verify an binary artifacts without leveraging any annotations | ||
* A complete example, leveraging optional annotations for increased trust | ||
|
||
For the minimal example, you only need a compressed binary file and provenance file. | ||
|
||
For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify: | ||
|
||
| Shorthand | Description | Example Value | | ||
|---|---|---| | ||
| `<repo>` | GitHub repository | `kong-mesh` | | ||
| `<workflow name>` | GitHub workflow name | `build-test-distribute` | | ||
| `<workflow trigger>` | Github workflow trigger name | `push` | | ||
|
||
Because Kong uses GitHub Actions to build and release, Kong also uses GitHub's OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related. | ||
|
||
## Examples | ||
|
||
### Prerequisites | ||
|
||
For both examples, you need to: | ||
|
||
1. Ensure `cosign` / `slsa-verifier` is installed. | ||
|
||
2. Download the necessary binary artifacts. | ||
|
||
3. Download the provenance file `kong-mesh.intoto.jsonl` for binary artifacts. | ||
|
||
{:.important .no-icon} | ||
> The GitHub owner is case-sensitive (`Kong/kong-mesh` vs `kong/kong-mesh`). | ||
### Minimal example | ||
|
||
#### Using Cosign | ||
|
||
Run the `cosign verify-attestation ...` command: | ||
|
||
```sh | ||
``` | ||
|
||
Here's the same example using sample values instead of placeholders: | ||
|
||
```sh | ||
``` | ||
|
||
The command will exit with `0` when the `cosign` verification is completed: | ||
|
||
```sh | ||
... | ||
echo $? | ||
0 | ||
``` | ||
|
||
#### Using slsa-verifier | ||
|
||
Run the `slsa-verifier verify-artifact...` command: | ||
|
||
```sh | ||
slsa-verifier verify-artifact \ | ||
--print-provenance \ | ||
--provenance-path '<path to provenance file>' \ | ||
--source-uri 'github.com/Kong/<repo>' \ | ||
<path to binary artifact> | ||
``` | ||
|
||
Here's the same example using sample values instead of placeholders: | ||
|
||
```sh | ||
``` | ||
|
||
The command will print "Verified SLASA provenance" if successful: | ||
|
||
```sh | ||
... | ||
PASSED: Verified SLSA provenance | ||
``` | ||
|
||
### Complete example | ||
|
||
#### Using Cosign | ||
|
||
Run the `cosign verify-attestation ...` command: | ||
|
||
```sh | ||
``` | ||
|
||
Here's the same example using sample values instead of placeholders: | ||
|
||
```sh | ||
``` | ||
|
||
#### Using slsa-verifier | ||
|
||
Run the `slsa-verifier verify-artifact ...` command: | ||
|
||
```sh | ||
``` | ||
|
||
Here's the same example using sample values instead of placeholders: | ||
|
||
```sh | ||
``` |