search

vmware-tanzu / helm-charts

Contains Helm charts for Kubernetes related open source tools
https://vmware-tanzu.github.io/helm-charts/
Apache License 2.0
248 stars 360 forks source link

[Security] Sign Helm Charts and provide provenance #517

Open PrivatePuffin opened 11 months ago

PrivatePuffin commented 11 months ago

Describe the problem/challenge you have With supplychain attacks on the rise, it's imperative that everyone starts correctly signing their artifacts. Sadly enough, vmware-tanzu is still not signing their helm-charts. Which is, quite frankly, not acceptable for professional usecases

Describe the solution you'd like All helm charts should be signed and provide provenance.

Anything else you would like to add:

For more info see: https://helm.sh/docs/topics/provenance/

Example CI: https://github.com/truecharts/helm-staging/blob/main/.github/workflows/release.yaml

Environment:

Irrelevant

jenting commented 10 months ago

@Ornias1993 Good suggestion, would you mind file a PR to address this issue? Appreciate.

PrivatePuffin commented 10 months ago

@Ornias1993 Good suggestion, would you mind file a PR to address this issue? Appreciate.

Even if I wanted to I cannot, as I cannot make signing keys for you. But even so, I've enough work running TrueCharts at the moment to not have freetime to fix other helm-chart repositories for other people.