Kong produces build provenance for Inso CLI binary artifacts, which can be verified using cosign
/ slsa-verifier
.
This guide provides steps to verify build provenance for signed Inso CLI binary artifacts in two different ways:
For the minimal example, you only need a compressed binary file(s) and provenance file.
For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:
Shorthand | Description | Example Value |
---|---|---|
<repo> |
GitHub repository | insomnia |
version |
Artifact version to download | 9.3.0-beta.4 |
<binary-files> |
Single / Space separated isno binary files | inso-*-9.3.0-beta.4.{pkg,tar.xz,zip} |
<provenance-file> |
Binary provenance file | inso-provenance.intoto.jsonl |
Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.
For both examples, you need to:
Ensure slsa-verifier
is installed.
Download Inso Binaries with file pattern inso-*.{pkg,tar.xz,zip}
Download Inso Binary Provenance Attestation with pattern inso-provenance.intoto.jsonl
The GitHub owner is case-sensitive (
Kong/insomnia
vskong/insomnia
).
Run the slsa-verifier verify-artifact...
command:
slsa-verifier verify-artifact \
--print-provenance \
--provenance-path '<provenance-file>' \
--source-uri 'github.com/Kong/<repo>' \
<binary-files>
Here’s the same example using sample values instead of placeholders:
slsa-verifier verify-artifact \
--print-provenance \
--provenance-path 'inso-provenance.intoto.jsonl' \
--source-uri 'github.com/Kong/insomnia' \
inso-*-9.3.0-beta.4.{zip,tar.xz,pkg}
The command will print “Verified SLSA provenance” if successful:
...
PASSED: Verified SLSA provenance
Run the slsa-verifier verify-artifact ...
command:
slsa-verifier verify-artifact \
--print-provenance \
--provenance-path '<provenance-file>' \
--source-uri 'github.com/Kong/<repo>' \
--build-workflow-input 'version=9.3.0-beta.4' \
<binary-files>
Here’s the same example using sample values instead of placeholders:
slsa-verifier verify-artifact \
--print-provenance \
--provenance-path 'inso-provenance.intoto.jsonl' \
--source-uri 'github.com/Kong/insomnia' \
--build-workflow-input 'version=9.3.0-beta.4' \
inso-*-9.3.0-beta.4.{zip,tar.xz,pkg}