[Feature]: Sign Helm Charts #61
Labels
Comments
|
We will need a maintainer to add the following environment variables for this task: They can make the key themselves or I can send it to them to upload as I do not have access, and then I can make the PR |
|
I have no access to do it @thschue you own the repo on artifact hub |
|
it is actually the Github repo secrets. sorry I wasn't clear. Then we only need to add the annotations on the chart.yaml for the public key |
|
Hey @AlexsJones ! I'd like to work on this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checklist
Is this feature request related to a problem?
No
Problem Description
Helm Provenance and Integrity
Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, and well-respected package managers, Helm can generate and verify signature files.
Integrity is established by comparing a chart to a provenance record. Provenance records are stored in provenance files, which are stored alongside a packaged chart. For example, if a chart is named myapp-1.2.3.tgz, its provenance file will be myapp-1.2.3.tgz.prov.
Provenance files are generated at packaging time (helm package --sign ...), and can be checked by multiple commands, notably helm install --verify.
Right now there in ArtifactHub there it is showing as the helm chart is not signed. This could stop some people from adopting it. https://artifacthub.io/packages/helm/k8sgpt/k8sgpt-operator
It is easy to do so I propose that we do it. We can add this capability on to the helm-chart-releaser that we already use.
Solution Description
Benefits
People will trust the charts more and enterprises with proper security processes and practices will be able to tick their compliance boxes and adopt it.
Potential Drawbacks
No Drawbacks
Additional Information
No response
The text was updated successfully, but these errors were encountered: