Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it possible to verify released charts integrity #982

Open
1 task
czeslavo opened this issue Jan 11, 2024 · 0 comments
Open
1 task

Make it possible to verify released charts integrity #982

czeslavo opened this issue Jan 11, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@czeslavo
Copy link
Contributor

Description

Currently, when we release a chart we do not publish a provenance file alongside that is required to ensure the chart integrity (e.g. when calling helm install --verify kong/kong). To read more about the topic, check out the Helm docs on it: https://helm.sh/docs/topics/provenance/.

Without the provenance file distributed alongside the chart tgz, it fails like so:

helm pull --verify kong/kong
Error: failed to fetch provenance “https://github.com/Kong/charts/releases/download/kong-2.33.2/kong-2.33.2.tgz.prov”

Proposed solution

An example of how to configure the helm/chart-releaser-action GitHub action to sign the chart:
inaccel/helm@71b1408

That would require generating a GPG key, storing it and its passphrase in the repository secrets, and using it as it's done in the example.

Acceptance criteria

  • When a user executes helm pull --verify kong/kong command, it succeeds.
@czeslavo czeslavo added the enhancement New feature or request label Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@czeslavo