You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when we release a chart we do not publish a provenance file alongside that is required to ensure the chart integrity (e.g. when calling helm install --verify kong/kong). To read more about the topic, check out the Helm docs on it: https://helm.sh/docs/topics/provenance/.
Without the provenance file distributed alongside the chart tgz, it fails like so:
helm pull --verify kong/kong
Error: failed to fetch provenance “https://github.com/Kong/charts/releases/download/kong-2.33.2/kong-2.33.2.tgz.prov”
Proposed solution
An example of how to configure the helm/chart-releaser-action GitHub action to sign the chart: inaccel/helm@71b1408
That would require generating a GPG key, storing it and its passphrase in the repository secrets, and using it as it's done in the example.
Acceptance criteria
When a user executes helm pull --verify kong/kong command, it succeeds.
The text was updated successfully, but these errors were encountered:
Description
Currently, when we release a chart we do not publish a provenance file alongside that is required to ensure the chart integrity (e.g. when calling
helm install --verify kong/kong
). To read more about the topic, check out the Helm docs on it: https://helm.sh/docs/topics/provenance/.Without the provenance file distributed alongside the chart tgz, it fails like so:
Proposed solution
An example of how to configure the
helm/chart-releaser-action
GitHub action to sign the chart:inaccel/helm@71b1408
That would require generating a GPG key, storing it and its passphrase in the repository secrets, and using it as it's done in the example.
Acceptance criteria
helm pull --verify kong/kong
command, it succeeds.The text was updated successfully, but these errors were encountered: