Open bukasaaime opened 2 years ago
Update
We have done a proposal to have Mojaloop helm release code signed using
We are seeking approval from the DA.
Keybase.io is an elegant solution for hosting GPG keys for establishing Provenance and managing developers chain of trust. It is recommended by the Helm documentation https://helm.sh/docs/topics/provenance/ and is optional. It is open source, very secure and used by many developers around the world.
@MichaelJBRichards This is now approved by the DA for testing and implementation on the condition that appropriate documentation explaining this is included in the standard section of the community guides. The helm release note will reference this only on the first release and thereafter removed.
Implementation Plan:
Request Summary:
Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, Keybase.io and well-respected package managers, Helm can generate and verify signature files.
Implementing Helm Provenance and Integrity for Mojaloop installation packaged chart, will constitute Mojaloop cryptographic Code Signing.
Request Details:
Artifacts:
https://helm.sh/docs/topics/provenance/
Dependencies:
Accountability:
Decision(s):