Error checking provenance file: invalid provenance file

[maelvls]

Hi,

We have been receiving many emails that mention a provenance file:

Subject: Something went wrong tracking repository cert-manager

We encountered some errors while tracking repository cert-manager. Some or all of these errors may be just warnings, and it's possible that your > packages have been still indexed properly. However, it'd be great if you can take a look at them just in case there is something missing or > failing in your repository that may affect how your content is displayed on Artifact Hub.

Errors log

error checking provenance file: invalid provenance file (package: cert-manager version: v0.10.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.11.0-beta.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.12.0-beta.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.12.0-beta.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.13.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.14.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.14.0-alpha.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.15-alpha.3)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.15.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.15.0-alpha.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.15.0-alpha.2)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.15.0-beta.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.15.0-beta.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.16.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.16.0-alpha.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.7.0-alpha.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.7.0-beta.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.8.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.8.0-beta.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.9.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v0.9.0-beta.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.0.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.0.0-alpha.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.0.0-beta.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.0.0-beta.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.1.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.1.0-alpha.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.2.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.2.0-alpha.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.2.0-alpha.2)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.3.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.3.0-alpha.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.3.0-beta.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.4.0-alpha.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.4.0-alpha.1)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.4.0-beta.0)
error checking provenance file: invalid provenance file (package: cert-manager version: v1.4.0-beta.1)
error checking provenance file: invalid provenance file (package: cert-manager-istio-csr version: v0.2.0)

I noticed these errors only occur for betas and alphas of cert-manager (except for the v0.2.0 of cert-manager-istio-csr).

How can we stop these emails from being sent?

Thanks!

[tegioz]

Hi @maelvls

According to the Helm provenance documentation, your provenance files should be provided by serving a file named after the package file, by appending .prov to them.

So, as an example, in the case of this package file:

https://charts.jetstack.io/charts/cert-manager-v1.4.0.tgz

the provenance file should be:

https://charts.jetstack.io/charts/cert-manager-v1.4.0.tgz.prov

The problem in your case is that you don't seem to be serving a valid provenance file, but a redirection to an Artifact Hub url. So when we check it, we notify you so that you can take action.

Before, we were only checking that the response to a request to that url was a 200. But then we realized that some repositories were responding a 200, but not providing a valid provenance file, and we were incorrectly marking the chart as signed. So we improved the check a bit.

Please keep in mind that we make this check to let users know that the chart is signed, and if it really isn't it can be misleading for them.

There are two ways you can solve this on your end:

• Sign your charts and provide a valid provisioning file. This way the warning will go away and your charts will be displayed as signed on Artifact Hub.
• Do not respond to the request to that file with a 200, but with a 404. This way we'll consider the chart is not signed and no warning will be raised either.

You can also opt-out of tracking errors emails from the control panel, but I wouldn't recommend that as you could miss important notifications.

Hope this helps!

[tegioz]

Hi @maelvls

I'll close this one for now, please feel free to reopen if needed.