helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon kubewarden

feat: PGP Signed Helm Chart

Open mattfarina opened this issue 3 years ago • 1 comments

Helm has a feature to sign and verify charts so that the provenance and integrity can be checked. Given that kubewarden is around security, this could be useful to use.

There is a plugin to make this easier with GPG.

On Artifact Hub there is a badge to show the provenance file. Here's an example. The badge shows up in search, too.

mattfarina avatar Jun 11 '21 11:06 mattfarina

Just in case, we have been signing the Helm charts with Sigstore, and are published signed in ghcr.io.

See https://docs.kubewarden.io/tutorials/verifying-kubewarden.

viccuad avatar Dec 02 '22 09:12 viccuad