Plugin for Helm to integrate the sigstore ecosystem. Search, upload and verify signed Helm Charts in the Rekor Transparency Log.
helm-sigstore is developed as part of the sigstore
project.
We also use a slack channel! Click here for the invite link.
Use the following steps to build the helm-sigstore
binary and install it as a Helm Plugin
On a system with Go installed, execute the following to download the source and build the plugin
$ mkdir -p $GOPATH/src/github.com/sigstore
$ cd $GOPATH/src/github.com/sigstore
$ git clone https://github.com/sigstore/helm-sigstore.git
$ cd helm-sigstore
Build the plugin
$ make
The plugin binary will be available in the bin
directory
Before installing helm-sigstore
as a Helm plugin, ensure that Helm is installed and configured on your machine. Then install the plugin.
$ helm plugin install https://github.com/sigstore/helm-sigstore
Confirm the plugin is available in Helm
$ helm plugin list
NAME VERSION DESCRIPTION
sigstore 0.1.0 This plugin integrates Helm into the Sigstore ecosystem.
With the installation complete and successful, the plugin can be invoked through the helm sigstore
command
$ helm sigstore
Integrates sigstore with Helm
Usage:
sigstore [command]
...
This brief example demonstrates how to upload a signed Helm chart to Rekor and validate the entry
$ helm sigstore upload <path_to_packaged_chart>
Created Helm entry at index 6821, available at: https://rekor.sigstore.dev/api/v1/log/entries/b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9
NOTE: The provenance file must be located in the same directory as the packaged chart.
To generate a provenance file, please consult the official documentation of Helm Provenance and Integrity.
Use the same signed Helm chart from the prior section to verify the entry in Rekor
helm sigstore verify <path_to_packaged_chart>
Chart Verified Successfully From Helm entry:
Rekor Server: https://rekor.sigstore.dev
Rekor Index: 6821
Rekor UUID: b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9
See the Usage documentation for detailed explanations and additional options.
This project generates SLSA provenance for its releases! This enables you to verify the integrity of the downloaded artifacts and ensure that the binary's code really comes from this source code.
To verify the provenance of the release binaries, please follow the instructions here.
Should you discover any security issues, please refer to sigstores security process