helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon kubewarden

Verify the CRDS.tar.gz SPDX signature prior to opening PR

Open viccuad opened this issue 1 year ago • 0 comments

Seldomly, we have changes to the CRDs definitions. These are shipped as part of kubewarden-controller releases, under a file called CRDS.tar.gz.

Contrary to other artifacts that the helm charts consume (such as container image tags, for example policy-server:v1.5.0 or kubewarden-controller:v1.5.0), the CRDs definitions are taking as files. We should verify them cryptographically prior to consumption.

Note: Even if we currently don't verify the signature, the consumption of the CRDs definitions happens via a PR, that is reviewed by a human.

Acceptance Criteria

Check that the CRDS.tar.gz matches with that one listed in kubewarden-controller-sbom.spdx (SPDXID: SPDXRef-File-kubewarden-controller-CRDS.tar.gz), and that the spdx file signature is valid.

viccuad avatar Apr 13 '23 17:04 viccuad