Closed maelvls closed 3 years ago
Hi @maelvls
According to the Helm provenance documentation, your provenance files should be provided by serving a file named after the package file, by appending .prov
to them.
So, as an example, in the case of this package file:
https://charts.jetstack.io/charts/cert-manager-v1.4.0.tgz
the provenance file should be:
https://charts.jetstack.io/charts/cert-manager-v1.4.0.tgz.prov
The problem in your case is that you don't seem to be serving a valid provenance file, but a redirection to an Artifact Hub url. So when we check it, we notify you so that you can take action.
Before, we were only checking that the response to a request to that url was a 200
. But then we realized that some repositories were responding a 200
, but not providing a valid provenance file, and we were incorrectly marking the chart as signed. So we improved the check a bit.
Please keep in mind that we make this check to let users know that the chart is signed, and if it really isn't it can be misleading for them.
There are two ways you can solve this on your end:
200
, but with a 404
. This way we'll consider the chart is not signed and no warning will be raised either.You can also opt-out of tracking errors emails from the control panel, but I wouldn't recommend that as you could miss important notifications.
Hope this helps!
Hi @maelvls
I'll close this one for now, please feel free to reopen if needed.
Hi,
We have been receiving many emails that mention a provenance file:
I noticed these errors only occur for betas and alphas of cert-manager (except for the
v0.2.0
of cert-manager-istio-csr).How can we stop these emails from being sent?
Thanks!