Code Distribution Integrity Assurance using Helm Provenance and Integrity

mojaloop / design-authority-project

This is the Issue and Decision Log for tracking mojaloop and related Designs

1 stars 2 forks source link

Code Distribution Integrity Assurance using Helm Provenance and Integrity #89

Open bukasaaime opened 2 years ago

bukasaaime commented 2 years ago

Request Summary:

Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, Keybase.io and well-respected package managers, Helm can generate and verify signature files.

Implementing Helm Provenance and Integrity for Mojaloop installation packaged chart, will constitute Mojaloop cryptographic Code Signing.

Request Details:

Deadline: Soon after DA meeting / discussions.
Impact (Teams): Code Quality Security, DevSecOps and DevOps
Impact (Components): Mojaloop codebase and documentation

Artifacts:

[ ] Artifact to consider @bukasaaime , @mdebarros

https://helm.sh/docs/topics/provenance/

Dependencies:

[ ] If Applicable

Accountability:

Owner: @godfreykutumela
Raised By: @bukasaaime

Decision(s):

- **Approved By:** ### Details - [ ] Actual decision made as a result of discussion ## **Follow-up**: - [ ] Actions to implement the decisions

bukasaaime commented 2 years ago

Update

We have done a proposal to have Mojaloop helm release code signed using

Keybase.io GPG keys,
Kubernetes commands
Helm package manager,
Helm chart(s),
Github,
Circle CI,
npm packages
Docker images, flags and hash values.
The Mojaloop customization trough external configs (including the default config),
mojaloop.io site for publication of Mojaloop helm release versions and hash values.
signature verification by a Mojaloop user
installation by Mojaloop user.

We are seeking approval from the DA.

code-signing-tree (7)

bukasaaime commented 2 years ago

Keybase.io is an elegant solution for hosting GPG keys for establishing Provenance and managing developers chain of trust. It is recommended by the Helm documentation https://helm.sh/docs/topics/provenance/ and is optional. It is open source, very secure and used by many developers around the world.

godfreykutumela commented 1 year ago

@MichaelJBRichards This is now approved by the DA for testing and implementation on the condition that appropriate documentation explaining this is included in the standard section of the community guides. The helm release note will reference this only on the first release and thereafter removed.

Implementation Plan:

Release initial documentation by 30 August 2022
Start testing the solution from 29 August 2022 - @bukasaaime will be the lead for the security team and I guess @mdebarros for the DevOps team
Once testing is completed, then we can aim to implement this with the next helm release - @mdebarros and @elnyry-sam-k to advise on the helm release schedule