Could not retrieve keyring: tag byte does not have MSB set

[lusu007]

Helm chart

All

Helm chart version

All

Actual behavior (issue description)

Sigstore Helm plugin fails in our release pipeline.

Pushed: ghcr.io/contane/charts/foreman:0.3.0
Digest: sha256:5bb958c5[16](https://github.com/contane/charts/actions/runs/9927531924/job/27422602723#step:9:17)360d7260182085442be99028ddab9faffb568bf1af9b79f7a9cb83
Could not retrieve keyring: Error Retrieving Keyring: openpgp: invalid data: tag byte does not have MSB set
Error: plugin "sigstore" exited with error
Error: Process completed with exit code 1.

see: https://github.com/contane/charts/actions/runs/9927531924/job/27422602723

Expected behavior

sigstore should upload our public keyring to Rekor.

Steps to reproduce

Run a release pipeline.

Custom configuration

No response

Additional information

There is an issue in the Helm repository (helm/helm#2843). However, the provided solution only outputs the key in binary. I don't think that's a proper solution.

[meyfa]

helm-sigstore uses a deprecated PGP dependency: https://pkg.go.dev/golang.org/x/crypto/openpgp

I tracked the error message down to: https://cs.opensource.google/go/x/crypto/+/master:openpgp/packet/packet.go;drc=a6a393ffd658b286f64f141b06cbd94e516d3a64;l=208

The way I interpret that, there is no way around providing the keyring in binary. Or rather, something like base64 since we cannot have a binary secret in GitHub Actions.

[lusu007]

I thought about providing it as Binary encoded as Base64 too. Thank you for tracking this down.

Do you know whether there is an open issue in the helm-sigstore repository?

[lusu007]

Ah, nevermind. I found one. It's open since 2021... 🫠

sigstore/helm-sigstore#25