Insomnia logo
  • Documentation
  • Get Started for Free
    • Introduction to Insomnia
    • Install Insomnia
    • Send Your First Request
    • Import and Export Data
    • Environment Variables
    • Global Environments
    • Insomnia Accounts
    • Forgotten Passphrase
    • Managing E2EE (End-to-End Encryption)
    • Organizations
    • Enable Enterprise membership
    • Configuring EE SSO
    • Integrating Insomnia Enterprise with Okta SAML 2.0
    • Integrating Insomnia Enterprise with Okta OpenID Connect
    • Integrating Insomnia Enterprise with Microsoft Azure/Entra ID SAML 2.0
    • Insomnia Whitelisting Guide for Enterprise Users
    • Transfer enterprise organizations and license
    • Configuring SCIM
    • Multiple Owners
    • Manage Domains
    • Invite Controls
    • Storage Controls
    • Session Report
    • Insomnia Subscriptions
    • Insomnia Subscription Management
    • Scratch Pad Tutorial
    • Requests
    • Responses
    • Request Collections
    • Request Timeouts
    • Chaining Requests
    • Post CSV Data
    • SOAP Requests
    • gRPC
    • WebSocket Support
    • Get Started with Documents
    • Design Documents
    • Linting
    • GraphQL for OpenAPI
    • Migrate from Designer
    • Unit Testing
    • Stress Testing
    • Insomnia Storage Options Guide
    • Sync with Insomnia Cloud
    • Sync with Git
    • Key Security Features
    • Security Standards
    • Signup and Authentication
    • Analytics Collected
    • End to End Data Encryption
    • Software Bill of Materials
    • Verifying Build Provenance for Signed Insomnia Binaries
    • Authentication
    • Client Certificates
    • Collection Runner
    • Generate Code Snippet
    • Cookie Management
    • Encoding
    • GraphQL Queries
    • Run in Insomnia Button
    • Key Maps
    • Proxy
    • Folder-level settings
    • Introduction to Plugins
    • Context Object Reference
    • Template Tags
    • Hooks and Actions
    • Custom Themes
    • AI Runner
    • FAQ
    • Application Data
    • SSL Validation
    • Password Recovery
    • Introduction to Inso CLI
    • Install Inso CLI
    • CLI Command Reference
      • inso run test
      • inso run collection
      • inso lint spec
      • inso export spec
      • inso script
      • Using Custom Linting with Inso CLI
    • Configuration
    • Inso CLI on Docker
    • Software Bill of Materials
    • Verifying Signatures for Signed Inso CLI Images
    • Verifying Inso CLI Build Provenance
      • Verifying Build Provenance for Signed Inso CLI Images
      • Verifying Build Provenance for Signed Inso CLI Binaries
    • Continuous Integration
    • Insomnia Pre-request Script Overview
    • Insomnia After-Response Script Overview
    • Secret Environment Variables
    • External Vault Integration (Enterprise feature)
    • Insomnia API Mocking Overview
    • Enterprise Login Report

Verifying Build Provenance for Signed Inso CLI Images

Kong produces build provenance for Inso CLI docker container images, which can be verified using cosign / slsa-verifier with attestations published to a Docker Hub repository.

This guide provides steps to verify build provenance for signed Inso CLI Docker container images in two different ways:

  • A minimal example, used to verify an image without leveraging any annotations
  • A complete example, leveraging optional annotations for increased trust

For the minimal example, you only need a Docker manifest digest and a GitHub repo name.

The Docker manifest digest is required for build provenance verification. The manifest digest can be different from the platform specific image digest for a specific distribution.

For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:

Shorthand Description Example Value
<repo> GitHub repository insomnia
<workflow name> GitHub workflow name Release Publish
<workflow trigger> GitHub workflow trigger name workflow_dispatch
<version> version 9.3.0

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for container images, which is why many of these details are GitHub-related.

Examples

Prerequisites

For both examples, you need to:

  1. Ensure cosign / slsa-verifier is installed.

  2. Ensure regctl is installed.

  3. Collect the necessary image details.

  4. Parse the <manifest_digest> for the image using regctl.

    IMAGE_DIGEST=$(regctl manifest digest kong/inso:9.3.0)
    
  5. Set the COSIGN_REPOSITORY environment variable:

    export COSIGN_REPOSITORY=kong/notary
    

The GitHub owner is case-sensitive (Kong/insomnia vs kong/insomnia).

Minimal example

Using Cosign

Run the cosign verify-attestation ... command:

cosign verify-attestation \
   <image>:<tag>@${IMAGE_DIGEST} \
   --type='slsaprovenance' \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'

Here’s the same example using sample values instead of placeholders:

cosign verify-attestation \
   kong/inso:9.3.0@${IMAGE_DIGEST} \
   --type='slsaprovenance' \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'

The command will exit with 0 when the cosign verification is completed:

...
echo $?
0

Using slsa-verifier

Run the slsa-verifier verify-image ... command:

slsa-verifier verify-image \
   <image>:<tag>@${IMAGE_DIGEST} \
   --print-provenance \
   --provenance-repository kong/notary \
   --source-uri 'github.com/Kong/<repo>'

Here’s the same example using sample values instead of placeholders:

slsa-verifier verify-image \
   kong/inso:9.3.0@${IMAGE_DIGEST} \
   --print-provenance \
   --provenance-repository kong/notary \
   --source-uri 'github.com/Kong/insomnia'

The command will print “Verified SLSA provenance” if successful:

...
PASSED: Verified SLSA provenance

Complete example

Using Cosign

Run the cosign verify-attestation ... command:

cosign verify-attestation \
   <image>:<tag>@${IMAGE_DIGEST} \
   --type='slsaprovenance' \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
   --certificate-github-workflow-repository='Kong/<repo>' \
   --certificate-github-workflow-name='<workflow name>' \
   --certificate-github-workflow-trigger='<workflow trigger>'

Here’s the same example using sample values instead of placeholders:

cosign verify-attestation \
   kong/inso:9.3.0@${IMAGE_DIGEST} \
   --type='slsaprovenance' \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
   --certificate-github-workflow-repository='Kong/insomnia' \
   --certificate-github-workflow-name='Release Publish' \
   --certificate-github-workflow-trigger='workflow_dispatch'

Using slsa-verifier

Run the slsa-verifier verify-image ... command:

slsa-verifier verify-image \
   <image>:<tag>@${IMAGE_DIGEST} \
   --print-provenance \
   --provenance-repository kong/notary \
   --build-workflow-input 'version=9.3.0' \
   --source-uri 'github.com/Kong/<repo>'

Here’s the same example using sample values instead of placeholders:

slsa-verifier verify-image \
   kong/inso:9.3.0@${IMAGE_DIGEST} \
   --print-provenance \
   --provenance-repository kong/notary \
   --build-workflow-input 'version=9.3.0' \
   --source-uri 'github.com/Kong/insomnia'
Edit this page
Report an issue
    COMPANY
  • Insomnia
  • Blog
  • Changelog
  • Pricing
  • Careers
    PRODUCTS
  • Insomnia
  • Inso (CLI)
    RESOURCES
  • Sign In
  • Documentation
  • Support
    LEGAL
  • Privacy Policy
  • Terms & Conditions
© Kong Inc. 2021