Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for chart signature #650

Merged
merged 1 commit into from
Jan 7, 2025
Merged

Add support for chart signature #650

merged 1 commit into from
Jan 7, 2025

Conversation

brennoo
Copy link
Contributor

@brennoo brennoo commented Jan 6, 2025

Description

This PR is enabling Provenance and Integrity for our helm-charts, later we can add annotations as:

  artifacthub.io/signKey: |
    fingerprint: C4C2AA7635ADC0282C37D1CA43FFC704CB4585A7
    url: https://raw.githubusercontent.com/deliveryhero/helm-charts/master/public_key.asc

the integrity can also be checked using helm with helm verify and/or helm install --verify

as we are moving to OCI based repo, it also leverages helm sigstore plugin publishing the provenance to Rekor, enabling helm sigstore verify checks

Checklist

  • Title of the PR starts with chart name (e.g. [stable/mychartname])
  • I have read the contribution instructions, bumped chart version and regenerated the docs
  • Github actions are passing

@brennoo
Add support for chart signature
35d4455 
Signed-off-by: Brenno Oliveira <[email protected]>
@brennoo brennoo requested a review from a team as a code owner January 6, 2025 17:10
max-rocket-internet
max-rocket-internet reviewed Jan 7, 2025
View reviewed changes
.github/workflows/helm-publish.yaml
@@ -51,6 +63,14 @@ jobs:
echo "$f"
helm push $f oci://${REGISTRY,,}
done
- name: Upload the Chart to Rekor
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is Rekor?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is an immutable transparency log, we publish the chart signatures there so everyone can verify

max-rocket-internet
max-rocket-internet approved these changes Jan 7, 2025
View reviewed changes
Copy link
Member

@max-rocket-internet max-rocket-internet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like it!

@brennoo brennoo merged commit 400b348 into master Jan 7, 2025
6 of 7 checks passed
@brennoo brennoo deleted the add_chart_signature branch January 7, 2025 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@max-rocket-internet max-rocket-internet max-rocket-internet approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brennoo @max-rocket-internet