helm-sigstore

Plugin for Helm to integrate the sigstore ecosystem. Search, upload and verify signed Helm Charts in the Rekor Transparency Log.

Info

helm-sigstore is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.

Installation

Use the following steps to build the helm-sigstore binary and install it as a Helm Plugin

Building

On a system with Go installed, execute the following to download the source and build the plugin

$ mkdir -p $GOPATH/src/github.com/sigstore
$ cd $GOPATH/src/github.com/sigstore
$ git clone https://github.com/sigstore/helm-sigstore.git
$ cd helm-sigstore

Build the plugin

$ make

The plugin binary will be available in the bin directory

Plugin Installation

Before installing helm-sigstore as a Helm plugin, ensure that Helm is installed and configured on your machine. Then install the plugin.

$ helm plugin install https://github.com/sigstore/helm-sigstore

Confirm the plugin is available in Helm

$ helm plugin list

NAME            VERSION         DESCRIPTION
sigstore        0.1.0           This plugin integrates Helm into the Sigstore ecosystem.

With the installation complete and successful, the plugin can be invoked through the helm sigstore command

$ helm sigstore

Integrates sigstore with Helm

Usage:
  sigstore [command]
...

Quickstart

This brief example demonstrates how to upload a signed Helm chart to Rekor and validate the entry

Upload a Signed Helm Chart

$ helm sigstore upload <path_to_packaged_chart>

Created Helm entry at index 6821, available at: https://rekor.sigstore.dev/api/v1/log/entries/b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9

NOTE: The provenance file must be located in the same directory as the packaged chart.

To generate a provenance file, please consult the official documentation of Helm Provenance and Integrity.

Verify the Signed Chart from Rekor

Use the same signed Helm chart from the prior section to verify the entry in Rekor

helm sigstore verify <path_to_packaged_chart>
Chart Verified Successfully From Helm entry:

Rekor Server: https://rekor.sigstore.dev
Rekor Index: 6821
Rekor UUID: b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9

See the Usage documentation for detailed explanations and additional options.

SLSA Provenance

This project generates SLSA provenance for its releases! This enables you to verify the integrity of the downloaded artifacts and ensure that the binary's code really comes from this source code.

To verify the provenance of the release binaries, please follow the instructions here.

Security

Should you discover any security issues, please refer to sigstores security process