Skip to content

Commit

Permalink
feat(slsa/provenance)[SEC-1079]: mesh binary artifact provenance veri…
Browse files Browse the repository at this point in the history 
…fication
  • Loading branch information
@saisatishkarra
saisatishkarra committed Apr 14, 2024
1 parent e3dd762 commit a85c321
Showing 1 changed file with 110 additions and 0 deletions.
110 changes: 110 additions & 0 deletions app/_src/mesh/features/provenance-verification-binaries.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
---
title: Verify Build Provenance for Kong Mesh Binaries
badge: enterprise
---

Starting with {{site.mesh_product_name}} 2.7.0, Kong Mesh produces build provenance for binary artifacts, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository.

Check failure on line 6 in app/_src/mesh/features/provenance-verification-binaries.md

View workflow job for this annotation

GitHub Actions / Vale 

[vale] reported by reviewdog 🐶
[kong.kongterms] Use '{{site.mesh_product_name}}' instead of 'Kong Mesh'.

Raw Output:
{"message": "[kong.kongterms] Use '{{site.mesh_product_name}}' instead of 'Kong Mesh'.", "location": {"path": "app/_src/mesh/features/provenance-verification-binaries.md", "range": {"start": {"line": 6, "column": 49}}}, "severity": "ERROR"}

This guide provides steps to verify build provenance for signed {{site.mesh_product_name}} binary artifacts in two different ways:

* A minimal example, used to verify an binary artifacts without leveraging any annotations
* A complete example, leveraging optional annotations for increased trust

For the minimal example, you only need a compressed binary file and provenance file.

For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:

| Shorthand | Description | Example Value |
|---|---|---|
| `<repo>` | GitHub repository | `kong-mesh` |
| `<workflow name>` | GitHub workflow name | `build-test-distribute` |
| `<workflow trigger>` | Github workflow trigger name | `push` |

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub's OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.

## Examples

### Prerequisites

For both examples, you need to:

1. Ensure `cosign` / `slsa-verifier` is installed.

2. Download the necessary binary artifacts.

3. Download the provenance file `kong-mesh.intoto.jsonl` for binary artifacts.

{:.important .no-icon}
> The GitHub owner is case-sensitive (`Kong/kong-mesh` vs `kong/kong-mesh`).
### Minimal example

#### Using Cosign

Run the `cosign verify-attestation ...` command:

```sh
```

Here's the same example using sample values instead of placeholders:

```sh
```

The command will exit with `0` when the `cosign` verification is completed:

```sh
...
echo $?
0
```

#### Using slsa-verifier

Run the `slsa-verifier verify-artifact...` command:

```sh
slsa-verifier verify-artifact \
--print-provenance \
--provenance-path '<path to provenance file>' \
--source-uri 'github.com/Kong/<repo>' \
<path to binary artifact>
```

Here's the same example using sample values instead of placeholders:

```sh
```

The command will print "Verified SLASA provenance" if successful:

```sh
...
PASSED: Verified SLSA provenance
```

### Complete example

#### Using Cosign

Run the `cosign verify-attestation ...` command:

```sh
```

Here's the same example using sample values instead of placeholders:

```sh
```

#### Using slsa-verifier

Run the `slsa-verifier verify-artifact ...` command:

```sh
```

Here's the same example using sample values instead of placeholders:

```sh
```

0 comments on commit a85c321

Please sign in to comment.