Sign helm releases #427
Reference in New Issue
Block a user
No description provided.
Delete Branch "refs/pull/427/head"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
fix #31
First stab, need to iterate most likely.
@techknowlogick @lunny Could one of you add the GPG secrets here so the signing can be tested?
Done. Only push could read that secrets.
Thanks. I wonder if we can allow it for PRs for a short time and then remove it again? This way we can test whether the logic works instead of failing during the next release?
If think if you would add them with "allow in PRs", merge main (which triggers a new run), then we would see if it works in drone. If so, you could then remove the "allow in PRs" again? This would be a minimal exposure and if you do it, nobody could step in between.
Sorry, we cannot allow it for PR reading because there is a security problem. And since you have write permission, I think you can do that in a branch in this repository.
I am not fully sure you understood my proposal :) I didn't ask to allow it in general for this repo but instead that you do it for a few mins while you update and rerun the action yourself and then revoke it again. This way, there is no exposure risk to anyone and I am not involved at all.
Ah true, I could change the trigger for executing that part of the CI and do so in a branch build and not within a PR. Good pointer, thanks!
@lunny I keep getting the same non-successful results when importing
Could you check whether the key is actually OK and importable? Maybe in an alpine docker container on your local machine?
It should be OK because I just finished the signing of act_runner https://gitea.com/gitea/act_runner/src/branch/main/.gitea/workflows/release-tag.yml . And since we are switching from drone -> Actions, maybe we can delay this PR?
Ah sure, let's wait then or directly use the Gitea Action logic.
@lunny Could you add the GPG key as Gitea Actions secrets?
I had to use the helm gpg plugin (and fork it first) as the official
helm package --sign
has issues with gpg and it's new keyring format: https://github.com/helm/helm/issues/2843The current state worked fine and I hope we get a signed release during the next "real" release.
TBH, I am not sure if we should rely on a Helm plugin for a feature that is built-in to Helm. I saw the existing issue with gpg2 and the file format. But there seem to be a workaround for it by converting the key store into the legacy format https://helm.sh/docs/topics/provenance/#the-workflow. There is a hint about it.
But if it works, it works. I'd like to test it locally before I give my approval.
As an alternative to that, we could switch to OCI registry and use cosign in the future.
I am with you there. I tested the workaround and it didn't work and resulted in another error I couldn't resolve. You can check the CI run history to spot the tries.
Happy to use the official way if you can get it working but I had to make a cut after more than one hour 🥴️
This is new to me but sounds interesting!
@justusbunsi Would you be ok to go with it for the time being? I am not so motivated to put much more time into this small issue given the issues and complexity on the helm side atm.
The current approach seems to work and we can always revisit once things have gotten better for the "official" command?
Sure. Let's move on with this solution. Sorry for not responding earlier.