Plans for supporting plugin verification in Helm v4?

[kastl-ars]

Dear @dadav,

Helm v4 introduced plugin verification, which is not yet possible for helm-schema (or I messed up the commands, totally possible).

$ wget https://github.com/dadav/helm-schema/releases/download/0.18.1/helm-schema_0.18.1_Linux_x86_64.tar.gz
$ helm plugin install ./helm-schema_0.18.1_Linux_x86_64.tar.gz 
Verifying plugin signature...
WARNING: No provenance file found for plugin. Plugin is not signed and cannot be verified.
$ 

In addition, installing via URL does not work unless one uses the --verify=false option:

$ helm plugin install https://github.com/dadav/helm-schema
Error: plugin source does not support verification. Use --verify=false to skip verification
$ helm plugin install --verify=false https://github.com/dadav/helm-schema
WARNING: Skipping plugin signature verification
Downloading ...
https://github.com/dadav/helm-schema/releases/download/0.18.1/helm-schema_0.18.1_Linux_x86_64.tar.gz
https://github.com/dadav/helm-schema/releases/download/0.18.1/checksums.txt
Checksum is valid.
Preparing to install into /root/.local/share/helm/plugins/helm-schema
helm-schema installed into /root/.local/share/helm/plugins/helm-schema
helm-schema version 0.18.1
Installed plugin: schema
$

Are there any plans to release "provenance files" so this could be verified automatically? (Disclaimer: I have next to no idea what would be needed to do so, but I hope that there are Github actions that just do the needful... :-)

Kind Regards, Johannes

[dadav]

Thanks for the idea, I'll look into it