source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Helm Chart Signature Verification

Open oliverbaehler opened this issue 3 years ago • 3 comments

We would be interested in verifing the signature on a helm chart with a given key ring, so we can verify, that only trusted charts will be installed on our cluster (Helm client does it like that: https://helm.sh/docs/helm/helm_verify/). Do you think that feature would make sense?

I guess implementation wise it would look similar to the git signature verification (reference configmap with gpg keys and enable verify).

oliverbaehler avatar Jan 13 '22 13:01 oliverbaehler

Yes, this is a welcome feature to be added that simply not got priority until now. What should be done as an initial step, is that we also download the provenance file while getting the packaged chart, and use this if an e.g. secret is defined with the key ring in it.

One thing we need to keep in mind, is that if this requires changes to the object API; we should take note that Helm is slowly starting to make OCI packages available, and this may have an impact on how we name things to make them generic for both "keyring files" and e.g. cosign.

hiddeco avatar Jan 13 '22 13:01 hiddeco