helm-sigstore is developed as part of the
Use the following steps to build the
helm-sigstore binary and install it as a Helm Plugin
On a system with Go installed, execute the following to download the source and build the plugin
$ mkdir -p $GOPATH/src/github.com/sigstore $ cd $GOPATH/src/github.com/sigstore $ git clone https://github.com/sigstore/helm-sigstore.git $ cd helm-sigstore
Build the plugin
The plugin binary will be available in the
helm-sigstore as a Helm plugin, ensure that Helm is installed and configured on your machine. Then install the plugin.
$ helm plugin install https://github.com/sigstore/helm-sigstore
Confirm the plugin is available in Helm
$ helm plugin list NAME VERSION DESCRIPTION sigstore 0.1.0 This plugin integrates Helm into the Sigstore ecosystem.
With the installation complete and successful, the plugin can be invoked through the
helm sigstore command
$ helm sigstore Integrates sigstore with Helm Usage: sigstore [command] ...
This brief example demonstrates how to upload a signed Helm chart to Rekor and validate the entry
Upload a Signed Helm Chart
$ helm sigstore upload <path_to_packaged_chart> Created Helm entry at index 6821, available at: https://rekor.sigstore.dev/api/v1/log/entries/b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9
NOTE: The provenance file must be located in the same directory as the packaged chart
Verify the Signed Chart from Rekor
Use the same signed Helm chart from the prior section to verify the entry in Rekor
helm sigstore verify <path_to_packaged_chart> Chart Verified Successfully From Helm entry: Rekor Server: https://rekor.sigstore.dev Rekor Index: 6821 Rekor UUID: b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9
See the Usage documentation for detailed explanations and additional options.
Should you discover any security issues, please refer to sigstores security process