-
Notifications
You must be signed in to change notification settings - Fork 109
feat(event-gateway): add image signature and attestation verification guide #5645
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
lena-larionova
merged 7 commits into
main
from
docs/event-gateway-verify-image-signatures
Jul 2, 2026
Merged
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
6e1f777
feat(event-gateway): add image signature and attestation verification…
lahabana cf8c55f
reivew
lahabana 1cf75b2
fix vale
lahabana 591bf49
Potential fix for pull request finding
lahabana 34b18a9
Merge branch 'main' into docs/event-gateway-verify-image-signatures
lahabana 5e57724
Merge branch 'main' into docs/event-gateway-verify-image-signatures
lahabana 84fa279
Minor edits + set minimum version
lena-larionova File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
197 changes: 197 additions & 0 deletions
197
app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,197 @@ | ||
| --- | ||
| title: Verify {{site.event_gateway}} image signatures and attestations | ||
| content_type: how_to | ||
|
|
||
| permalink: /event-gateway/verify-image-signatures-and-attestations/ | ||
|
|
||
| description: "Use Cosign to verify the signature of the {{site.event_gateway}} container image and to inspect the attestations attached to it, including the SBOM and vulnerability scans." | ||
|
|
||
| products: | ||
| - event-gateway | ||
|
|
||
| works_on: | ||
| - konnect | ||
|
|
||
| min_version: | ||
| event-gateway: '1.1.1' | ||
| tools: [] | ||
|
|
||
| breadcrumbs: | ||
| - /event-gateway/ | ||
|
|
||
| tags: | ||
| - event-gateway | ||
| - docker | ||
| - security | ||
|
|
||
|
lahabana marked this conversation as resolved.
|
||
| related_resources: | ||
| - text: "Upgrading {{site.event_gateway_short}}" | ||
| url: /event-gateway/upgrade/ | ||
| - text: "{{site.event_gateway_short}} breaking changes and known issues" | ||
| url: /event-gateway/breaking-changes/ | ||
| - text: "{{site.event_gateway_short}} known limitations" | ||
| url: /event-gateway/known-limitations/ | ||
| - text: "{{site.event_gateway_short}} version support policy" | ||
| url: /event-gateway/version-support-policy/ | ||
| - text: "{{site.event_gateway_short}} changelog" | ||
| url: /event-gateway/changelog/ | ||
|
|
||
| prereqs: | ||
| skip_product: true | ||
| inline: | ||
| - title: Cosign | ||
| position: before | ||
| icon_url: /assets/icons/cosign.svg | ||
| content: | | ||
| {{site.event_gateway}} container images and their attestations are signed using [Cosign](https://github.com/sigstore/cosign). | ||
|
|
||
| Install [Cosign](https://docs.sigstore.dev/cosign/system_config/installation/) **2.4.0 or later** by following the installation instructions for your system. {{site.event_gateway_short}} signatures use the newer Sigstore bundle format (`--new-bundle-format`), which earlier Cosign versions can't verify. Check your version with `cosign version`. | ||
|
|
||
| Unlike some other Kong products, {{site.event_gateway_short}} attestations and signatures are attached directly to the image, so you don't need to set `COSIGN_REPOSITORY`. | ||
| - title: regctl | ||
| position: before | ||
| include_content: prereqs/regctl | ||
| icon_url: /assets/icons/code.svg | ||
| - title: jq | ||
| position: before | ||
| content: | | ||
| You'll use [`jq`](https://jqlang.org/download/) to parse the JSON attestations that Cosign downloads. | ||
|
|
||
| tldr: | ||
| q: How do I verify the {{site.event_gateway}} container image and read its SBOM? | ||
| a: | | ||
| {{site.event_gateway}} images are published to `kong/kong-event-gateway` on Docker Hub and signed with [Cosign](https://github.com/sigstore/cosign) using GitHub's OIDC identity. | ||
|
|
||
| List every supply chain artifact attached to an image with `cosign tree kong/kong-event-gateway:VERSION`, verify the image signature with `cosign verify`, and verify or extract individual attestations (SBOM, vulnerability scans) with `cosign verify-attestation`. | ||
|
|
||
| automated_tests: false | ||
| --- | ||
|
|
||
| {% assign egw_release = site.data.products["event-gateway"].releases | where: "latest", true | first %} | ||
|
|
||
| {{site.event_gateway}} container images are published to [`kong/kong-event-gateway`](https://hub.docker.com/r/kong/kong-event-gateway) on Docker Hub. | ||
| Each image is signed with [Cosign](https://github.com/sigstore/cosign) using GitHub's OIDC identity, and a set of attestations (SBOM, vulnerability scans, and more) is attached to it. | ||
|
|
||
| {:.warning} | ||
| > Image signatures and attestations are only available from {{site.event_gateway_short}} **1.1.1** onwards. Earlier releases have no supply chain artifacts attached, so the commands on this page won't return anything for them. | ||
|
lahabana marked this conversation as resolved.
|
||
|
|
||
| {:.info} | ||
| > The examples below use `kong/kong-event-gateway:{{ egw_release.version }}`. Replace the version with the {{site.event_gateway_short}} release you want to verify. | ||
| > The signing identity (`...@refs/tags/v{{ egw_release.version }}`) must match the exact release tag of the image you're verifying, so keep the version consistent between the image and the `--certificate-identity` flag. | ||
|
|
||
| ## List the artifacts attached to an image | ||
|
|
||
| Use `cosign tree` to see every signature and attestation attached to an image: | ||
|
|
||
| ```sh | ||
| cosign tree kong/kong-event-gateway:{{ egw_release.version }} | ||
| ``` | ||
|
|
||
| The output lists the supply chain artifacts (signatures and attestations) that are stored alongside the image in the registry. | ||
|
|
||
| ## Verify the image signature | ||
|
|
||
| 1. Read the manifest digest for the image with `regctl` and store it in a variable: | ||
|
|
||
| ```sh | ||
| export IMAGE_DIGEST=$(regctl manifest digest kong/kong-event-gateway:{{ egw_release.version }}) | ||
| echo $IMAGE_DIGEST | ||
| ``` | ||
|
lahabana marked this conversation as resolved.
|
||
|
|
||
| This captures the image's SHA-256 digest so you can reuse it in the commands below, and prints it: | ||
|
|
||
| ```sh | ||
| sha256:... | ||
| ``` | ||
| {:.no-copy-code} | ||
|
|
||
| Pinning to a digest guarantees you verify exactly the image you're going to run, even if the tag is later moved to a different image. | ||
|
|
||
| 1. Verify the signature with `cosign verify`: | ||
|
|
||
| ```sh | ||
| cosign verify \ | ||
| --new-bundle-format=true \ | ||
| -a repo="kong-gateway/event-gateway" \ | ||
| -a workflow="CI" \ | ||
| --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ | ||
| --certificate-identity="https://github.com/kong-gateway/event-gateway/.github/workflows/ci.yaml@refs/tags/v{{ egw_release.version }}" \ | ||
| kong/kong-event-gateway@${IMAGE_DIGEST} | ||
| ``` | ||
|
|
||
| If verification succeeds, the response contains a summary of the checks that were performed: | ||
|
|
||
| ``` | ||
| Verification for index.docker.io/kong/kong-event-gateway@sha256:... -- | ||
| The following checks were performed on each of these signatures: | ||
| - The specified annotations were verified. | ||
| - The cosign claims were validated | ||
| - Existence of the claims in the transparency log was verified offline | ||
| - The code-signing certificate was verified using trusted certificate authority certificates | ||
| ``` | ||
| {:.no-copy-code} | ||
|
|
||
| ## Verify and inspect attestations | ||
|
|
||
| {{site.event_gateway}} images carry several signed attestations. The most commonly used predicate types are: | ||
|
|
||
| {% table %} | ||
| columns: | ||
| - title: Attestation | ||
| key: attestation | ||
| - title: Predicate type | ||
| key: predicate | ||
| - title: "`--type` value" | ||
| key: type | ||
| rows: | ||
| - attestation: SPDX SBOM | ||
| predicate: "`https://spdx.dev/Document`" | ||
| type: "`spdxjson`" | ||
| - attestation: CycloneDX SBOM | ||
| predicate: "`https://cyclonedx.org/bom`" | ||
| type: "`cyclonedx`" | ||
| - attestation: Vulnerability scan (SARIF) | ||
| predicate: "`https://cosign.sigstore.dev/sarif/vuln/...`" | ||
| type: "`vuln`" | ||
| - attestation: CIS Docker benchmark | ||
| predicate: "`https://cisecurity.org/docker/...`" | ||
| type: "_(use the full URL)_" | ||
| {% endtable %} | ||
|
|
||
| {:.info} | ||
| > The exact set of attestations can change between releases. Use [`cosign tree`](#list-the-artifacts-attached-to-an-image) to see the authoritative list for the image you're verifying. | ||
|
|
||
| To verify an attestation's signature and print its contents, use `cosign verify-attestation` with the matching `--type`. For example, to verify the SPDX SBOM, run: | ||
|
|
||
| ```sh | ||
| cosign verify-attestation \ | ||
| --type="spdxjson" \ | ||
| --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ | ||
| --certificate-identity="https://github.com/kong-gateway/event-gateway/.github/workflows/ci.yaml@refs/tags/v{{ egw_release.version }}" \ | ||
| kong/kong-event-gateway@${IMAGE_DIGEST} | ||
| ``` | ||
|
|
||
| For predicate types that don't have a built-in alias, pass the full predicate type URL to `--type` instead. For example: `--type="https://cisecurity.org/docker/amd64"`. | ||
|
|
||
| ## Extract the SBOM | ||
|
|
||
| To save the SPDX SBOM to a file, download the attestations and filter for the SBOM predicate type with `jq`: | ||
|
|
||
| ```sh | ||
| cosign download attestation kong/kong-event-gateway@${IMAGE_DIGEST} \ | ||
| | jq -r 'select((.dsseEnvelope.payload // .payload | @base64d | fromjson | .predicateType) == "https://spdx.dev/Document") | (.dsseEnvelope.payload // .payload) | @base64d | fromjson | .predicate' \ | ||
| > sbom.spdx.json | ||
| ``` | ||
|
|
||
| This writes the SBOM document to `sbom.spdx.json`, which you can then feed into your SBOM tooling. To extract the CycloneDX SBOM instead, replace the predicate type with `https://cyclonedx.org/bom`. | ||
|
lahabana marked this conversation as resolved.
|
||
|
|
||
| ## Validate the extracted SBOM | ||
|
|
||
| Confirm that the extracted file is valid JSON and contains the expected SPDX fields: | ||
|
|
||
| ```sh | ||
| jq -e '.spdxVersion and (.packages | length > 0)' sbom.spdx.json \ | ||
| && echo "Valid SPDX SBOM with $(jq '.packages | length' sbom.spdx.json) packages" | ||
| ``` | ||
|
|
||
| If the file is a well-formed SPDX SBOM, the command prints `true` followed by the package count. If `jq` reports a parse error or the expression evaluates to `false`, the download or filter step didn't produce a valid document. Re-check the predicate type and confirm the previous commands completed successfully. | ||
|
lahabana marked this conversation as resolved.
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.