Closed lusu007 closed 1 month ago
helm-sigstore uses a deprecated PGP dependency: https://pkg.go.dev/golang.org/x/crypto/openpgp
I tracked the error message down to: https://cs.opensource.google/go/x/crypto/+/master:openpgp/packet/packet.go;drc=a6a393ffd658b286f64f141b06cbd94e516d3a64;l=208
The way I interpret that, there is no way around providing the keyring in binary. Or rather, something like base64 since we cannot have a binary secret in GitHub Actions.
I thought about providing it as Binary encoded as Base64 too. Thank you for tracking this down.
Do you know whether there is an open issue in the helm-sigstore repository?
Ah, nevermind. I found one. It's open since 2021... ðŸ«
sigstore/helm-sigstore#25
Helm chart
All
Helm chart version
All
Actual behavior (issue description)
Sigstore Helm plugin fails in our release pipeline.
see: https://github.com/contane/charts/actions/runs/9927531924/job/27422602723
Expected behavior
sigstore should upload our public keyring to Rekor.
Steps to reproduce
Run a release pipeline.
Custom configuration
No response
Additional information
There is an issue in the Helm repository (helm/helm#2843). However, the provided solution only outputs the key in binary. I don't think that's a proper solution.