- Organizations
- Insomnia Subscriptions
- Insomnia Subscription Management
- Scratch Pad Tutorial
- Unit Testing
- Stress Testing
- Insomnia Pre-request Script Overview
- Insomnia After-Response Script Overview
- Insomnia API Mocking Overview

Verify Signatures for Signed Inso CLI Images

Inso CLI Docker container images are now signed using cosign with signatures published to a Docker Hub repository.

This guide provides steps to verify signatures for signed Inso CLI Docker container images in two different ways:

A minimal example, used to verify an image without leveraging any annotations
A complete example, leveraging optional annotations for increased trust

For the minimal example, you only need Docker image details, a GitHub repo name, and a GitHub workflow filename.

For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:

Shorthand	Description	Example Value
`<repo>`	Github repository	`insomnia`
`<workflow filename>`	Github workflow filename	`release-publish.yml`
`<workflow name>`	Github workflow name	`Release Publish`

Because Kong uses Github Actions to build and release, Kong also uses Github’s OIDC identity to sign images, which is why many of these details are Github-related.

Examples

Prerequisites

For both examples, you need to:

Ensure cosign is installed.
Collect the necessary image details.
Set the COSIGN_REPOSITORY environment variable:
```
export COSIGN_REPOSITORY=kong/notary
```

Parse the image manifest digest

IMAGE_DIGEST=$(regctl manifest digest kong/inso:9.3.0)

Github owner is case-sensitive (Kong/insomnia vs kong/insomnia).

Minimal example

Run the cosign verify ... command:

cosign verify \
   kong/<image>:<tag>@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>'

Here’s the same example using sample values instead of placeholders:

cosign verify \
   kong/inso:9.3.0@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml'

Complete example

cosign verify \
   <image>:<tag>@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>' \
   -a repo='Kong/<repo>' \
   -a workflow='<workflow name>'

Here’s the same example using sample values instead of placeholders:

cosign verify \
   kong/inso:9.3.0@${IMAGE_DIGEST} \
   --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
   --certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml' \
   -a repo='Kong/insomnia' \
   -a workflow='Release Publish'

Edit this page

Report an issue