Helm Chart Signature Verification

[oliverbaehler]

We would be interested in verifing the signature on a helm chart with a given key ring, so we can verify, that only trusted charts will be installed on our cluster (Helm client does it like that: https://helm.sh/docs/helm/helm_verify/). Do you think that feature would make sense?

I guess implementation wise it would look similar to the git signature verification (reference configmap with gpg keys and enable verify).

[hiddeco]

Yes, this is a welcome feature to be added that simply not got priority until now. What should be done as an initial step, is that we also download the provenance file while getting the packaged chart, and use this if an e.g. secret is defined with the key ring in it.

One thing we need to keep in mind, is that if this requires changes to the object API; we should take note that Helm is slowly starting to make OCI packages available, and this may have an impact on how we name things to make them generic for both "keyring files" and e.g. cosign.

[andrascz]

Cosign based signature verification would be interesting for me. Something similar to https://github.com/sigstore/policy-controller just for Helm charts.

[souleb]

cosign support for helm charts is already implemented. See https://fluxcd.io/flux/cheatsheets/oci-artifacts/#verify-helm-charts