WIP: Re-implement artifact signing #682
No reviewers
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#682
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "justusbunsi/helm-chart:artifact-signing"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description of the change
This re-implements our artifact signing. It had to be disabled in
3265a5ed53
, so that we were able to release v10.3.0. This time for both artifacts (tgz file and DockerHub artifact).Benefits
Improved chain of trust for our users.
Possible drawbacks
Not that I am aware of.
Applicable issues
Additional information
During the release of v10.3.0 I noticed that the previous artifact signing only happened during the release. The generated
.prov
file was never uploaded to https://dl.gitea.com/charts/, so nobody was able to use it for verification. Additionally, only the tgz file was signed, not the OCI artifact on DockerHub.I've used the Actions feature to ensure these workflow steps work as expected. The only thing I could not test is the "AWS S3 sync". But I hope™️ that this still works with the new aws-cli package from APK.
The published test artifact can be seen at my own DockerHub profile1. The cosign transparency log entry can be found here: https://search.sigstore.dev/?logIndex=109502702.
Here are example resources to verify the OCI artifact via FluxCD.
TODOs
GPG signing key
@techknowlogick @lunny, please check that the referenced GPG key is still valid. If not, renew it please.
helm.pub
.Cosign keypair
@techknowlogick @lunny, please generate a cosign key pair using
cosign generate-key-pair
. You can install cosign with these instructions.cosign.pub
.COSIGN_KEY
to this repository.COSIGN_PASSPHRASE
to this repository.Documentation
As soon as this PR is merged, I am going to delete this repository to not confuse users. ↩︎
GPG signing key
has been updated. I haven't usedcosign generate-key-pair
. I will try it later.@lunny, do you need help with the keys?
ping @lunny @techknowlogick
@lunny @techknowlogick, is there anything I can help to get your TODOs done?
@techknowlogick @lunny We depend on you for this task. Would be great if you could let us know if you have it on your list 🙂️
Checkout
From your project repository, check out a new branch and test the changes.