helm-sigstore
Plugin for Helm to integrate the sigstore ecosystem. Search, upload and verify signed Helm Charts in the Rekor Transparency Log.
Info
helm-sigstore is developed as part of the sigstore
project.
We also use a slack channel! Click here for the invite link.
Installation
Use the following steps to build the helm-sigstore
binary and install it as a Helm Plugin
Building
On a system with Go installed, execute the following to download the source and build the plugin
$ mkdir -p $GOPATH/src/github.com/sigstore
$ cd $GOPATH/src/github.com/sigstore
$ git clone https://github.com/sigstore/helm-sigstore.git
$ cd helm-sigstore
Build the plugin
$ make
The plugin binary will be available in the bin
directory
Plugin Installation
Before installing helm-sigstore
as a Helm plugin, ensure that Helm is installed and configured on your machine. Then install the plugin.
$ helm plugin install https://github.com/sigstore/helm-sigstore
Confirm the plugin is available in Helm
$ helm plugin list
NAME VERSION DESCRIPTION
sigstore 0.1.0 This plugin integrates Helm into the Sigstore ecosystem.
With the installation complete and successful, the plugin can be invoked through the helm sigstore
command
$ helm sigstore
Integrates sigstore with Helm
Usage:
sigstore [command]
...
Quickstart
This brief example demonstrates how to upload a signed Helm chart to Rekor and validate the entry
Upload a Signed Helm Chart
$ helm sigstore upload <path_to_packaged_chart>
Created Helm entry at index 6821, available at: https://rekor.sigstore.dev/api/v1/log/entries/b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9
NOTE: The provenance file must be located in the same directory as the packaged chart
Verify the Signed Chart from Rekor
Use the same signed Helm chart from the prior section to verify the entry in Rekor
helm sigstore verify <path_to_packaged_chart>
Chart Verified Successfully From Helm entry:
Rekor Server: https://rekor.sigstore.dev
Rekor Index: 6821
Rekor UUID: b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9
See the Usage documentation for detailed explanations and additional options.
Security
Should you discover any security issues, please refer to sigstores security process