mirror of
https://github.com/helm/helm.git
synced 2026-02-09 22:04:23 -05:00
9ea35da0d0
* Plugin packaging, signing and verification Signed-off-by: Scott Rigby <scott@r6by.com> * wrap keyring read error with more explicit message Co-authored-by: Jesse Simpson <jesse.simpson36@gmail.com> Signed-off-by: Scott Rigby <scott@r6by.com> * skip unnecessary check Co-authored-by: Evans Mungai <mbuevans@gmail.com> Signed-off-by: Scott Rigby <scott@r6by.com> * Change behavior for installing plugin with missing .prov file (now warns and continues instead of failing) Signed-off-by: Scott Rigby <scott@r6by.com> * Add comprehensive plugin verification tests - Test missing .prov files (warns but continues) - Test invalid .prov file formats (fails verification) - Test hash mismatches in .prov files (fails verification) - Test .prov file access errors (fails appropriately) - Test directory plugins don't support verification - Test installation without verification enabled (succeeds) - Test with valid .prov files (fails on empty keyring as expected) --------- Signed-off-by: Scott Rigby <scott@r6by.com> Co-authored-by: Jesse Simpson <jesse.simpson36@gmail.com> Co-authored-by: Evans Mungai <mbuevans@gmail.com>
38 lines
1.7 KiB
Go
38 lines
1.7 KiB
Go
/*
|
|
Copyright The Helm Authors.
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
/*
|
|
Package provenance provides tools for establishing the authenticity of packages.
|
|
|
|
In Helm, provenance is established via several factors. The primary factor is the
|
|
cryptographic signature of a package. Package authors may sign packages, which in turn
|
|
provide the necessary metadata to ensure the integrity of the package file, the
|
|
metadata, and the referenced Docker images.
|
|
|
|
A provenance file is clear-signed. This provides cryptographic verification that
|
|
a particular block of information (metadata, archive file, images) have not
|
|
been tampered with or altered. To learn more, read the GnuPG documentation on
|
|
clear signatures:
|
|
https://www.gnupg.org/gph/en/manual/x135.html
|
|
|
|
The cryptography used by Helm should be compatible with OpenGPG. For example,
|
|
you should be able to verify a signature by importing the desired public key
|
|
and using `gpg --verify`, `keybase pgp verify`, or similar:
|
|
|
|
$ gpg --verify some.sig
|
|
gpg: Signature made Mon Jul 25 17:23:44 2016 MDT using RSA key ID 1FC18762
|
|
gpg: Good signature from "Helm Testing (This key should only be used for testing. DO NOT TRUST.) <helm-testing@helm.sh>" [ultimate]
|
|
*/
|
|
package provenance // import "helm.sh/helm/v4/pkg/provenance"
|