GPG signature validation doesn't work on multi-source values

[shmargum]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

An application with helm chart from source A and values from source B says target revision in source B is not signed when it is indeed signed.

To Reproduce

sources:
  - repoURL: 'git@github.com:my-org/my-repo-1.git'
    path: charts/test
    targetRevision: master
    helm:
      valueFiles:
        - values/test.yaml
        - $values1/charts/test/values/test.yaml
  - repoURL: 'git@github.com:my-org/my-repo-2.git'
    targetRevision: master
    ref: values1

Expected behavior

Expecting ArgoCD to recognize the commit is signed.

Screenshots

Version

v2.7.7+4650bb2.dirty

Logs

Paste any relevant application logs here.

[jannfis]

Thanks. I have a PoC working to support multiple sources among some other new features that I submit shortly along with a proposal.

[jannfis]

Proposal: https://github.com/argoproj/argo-cd/pull/14964

[zadjadr]

I also see an issue with this if we use an external helm chart with values taken from an internal repository.

For example:

• Source 1: superset helm chart @ http://apache.github.io/superset/
• Source 2: my own repository @ https://github.com/abc/myvalues

Source 2 will always be signed with my GPG key, e.g ABCEXAMPLE while Source 1 is not signed since its a helm repository. Argocd will not sync because the target at Source 1 is not signed.

Is there any workaround for this?