What are Helm provenance files and how do you sign charts?

Provenance files provide cryptographic verification that Helm charts come from trusted sources and haven't been tampered with.

Generating GPG key for signing: # Generate GPG key gpg --full-generate-key # Select RSA and RSA, 4096 bits, no expiry # Export public key gpg --export --armor "Helm Maintainer" > helm-public.key # Configure Helm to use GPG key export HELM_KEY_NAME="Helm Maintainer" export HELM_KEY_PASSPHRASE_FILE=~/helm-passphrase.txt

Signing a chart during packaging: # Package and sign chart helm package --sign --key "Helm Maintainer" --keyring ~/.gnupg/pubring.gpg ./mychart # Results: # mychart-1.2.3.tgz # mychart-1.2.3.tgz.prov # Provenance file # Verify provenance helm verify mychart-1.2.3.tgz # Verify with specific keyring helm verify --keyring ~/.gnupg/pubring.gpg mychart-1.2.3.tgz

Provenance file contents (PROV file): -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 apiVersion: v1 description: A Helm chart for Kubernetes name: mychart version: 1.2.3 ... files: Chart.yaml: sha256:abc123... values.yaml: sha256:def456... templates/deployment.yaml: sha256:ghi789... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABCgAGBQJfghkLAAoJEL... -----END PGP SIGNATURE-----

Repository with signed charts: # Index with provenance helm repo index --url https://myrepo.github.io/charts --merge index.yaml . # Client verification on install helm install myrepo/mychart --verify # Configure Helm to always verify export HELM_VERIFY=always

CI/CD signing automation: # GitHub Actions signing - name: Import GPG key run: | echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import echo "${{ secrets.GPG_PASSPHRASE }}" > passphrase.txt - name: Package and sign chart run: | helm package --sign --key "${{ secrets.GPG_KEY_NAME }}" \ --passphrase-file passphrase.txt \ ./charts/mychart - name: Verify signature run: | helm verify charts/mychart-*.tgz

Trust management: # Add trusted keys to keyring gpg --import trusted-maintainer.key helm repo add --keyring ~/.gnupg/pubring.gpg myrepo https://myrepo.github.io/charts # Verify chart dependencies are signed helm dependency update --verify

Limitations: Provenance doesn't verify the contents of external charts referenced by dependencies. OCI registries support Cosign signatures as alternative.

Invest now in Acorns!!! 🚀
Join Acorns and get your $5 bonus!

Acorns is a micro-investing app that automatically invests your "spare change" from daily purchases into diversified, expert-built portfolios of ETFs. It is designed for beginners, allowing you to start investing with as little as $5. The service automates saving and investing. Disclosure: I may receive a referral bonus.

Invest now!!! Get Free equity stock (US, UK only)!

Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.

The Robinhood app makes it easy to trade stocks, crypto and more.

Webull! Receive free stock by signing up using the link: Webull signup.