- Organizations
- Insomnia Subscriptions
- Insomnia Subscription Management
- Scratch Pad Tutorial
- Unit Testing
- Stress Testing
- AI Runner
- Insomnia Pre-request Script Overview
- Insomnia After-Response Script Overview
- Secret Environment Variables
- External Vault Integration (Enterprise feature)
- Insomnia API Mocking Overview
- Enterprise Login Report

Verify Signatures for Signed Inso CLI Images

Inso CLI Docker container images are now signed using cosign with signatures published to a Docker Hub repository.

This guide provides steps to verify signatures for signed Inso CLI Docker container images in two different ways:

A minimal example, used to verify an image without leveraging any annotations
A complete example, leveraging optional annotations for increased trust

For the minimal example, you only need Docker image details, a GitHub repo name, and a GitHub workflow filename.

For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:

Shorthand	Description	Example Value
`<repo>`	GitHub repository	`insomnia`
`<workflow filename>`	GitHub workflow filename	`release-publish.yml`
`<workflow name>`	GitHub workflow name	`Release Publish`

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to sign images, which is why many of these details are GitHub-related.

Examples

Prerequisites

For both examples, you need to:

Ensure cosign is installed.
Collect the necessary image details.
Set the COSIGN_REPOSITORY environment variable:
```
export COSIGN_REPOSITORY=kong/notary
```

Parse the image manifest digest

IMAGE_DIGEST=$(regctl manifest digest kong/inso:9.3.0)

GitHub owner is case-sensitive (Kong/insomnia vs kong/insomnia).

Minimal example

Run the cosign verify ... command:

cosign verify \
   kong/<image>:<tag>@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>'

Here’s the same example using sample values instead of placeholders:

cosign verify \
   kong/inso:9.3.0@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml'

Complete example

cosign verify \
   <image>:<tag>@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>' \
   -a repo='Kong/<repo>' \
   -a workflow='<workflow name>'

Here’s the same example using sample values instead of placeholders:

cosign verify \
   kong/inso:9.3.0@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml' \
   -a repo='Kong/insomnia' \
   -a workflow='Release Publish'

Edit this page

Report an issue