A simple tool written in Golang to package and sign Helm charts without needing GPG installed.
This tool is intended to be installed as a Helm Plugin.
Head over to the Releases Page and download the the tar (.tar.gz
) file for the required environment from one of the available versions.
Unpack the tar archive.
Install the plugin
$ helm plugin install <unpacked-archive>
Installed plugin: gopg
For Example:
$ helm plugin install ~/Downloads/helm-gopg_0.3.0_darwin_amd64
Installed plugin: gopg
For macOS, allow permissions for this binary to run in Privacy and Security
.
Now you can access commands using helm gopg <command> <flags>
.
$ helm gopg version
helm-gopg
---------
Version: 0.2.0
Git Commit: bad69093617c84bc20840603ad8b831fbe310fd8
Build Date: 2023-01-20T11:48:52Z
Go version: go1.19.5
OS/Arch: darwin/amd64
To sign packages run the following
$ helm gopg sign --package <package> --signer.pgp.passphrase <passphrase> --signer.pgp.private-key <private-key>
helm-gopg is a tool written in Golang to sign Helm charts without needing to install GPG.
This tool uses the well-maintained https://github.com/ProtonMail/gopenpgp library for signing
Usage:
helm-gopg [flags]
helm-gopg [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
sign Sign a package
verify Verify the signature and checksum of a package
Flags:
-c, --config string config file (Default; config.yml in the current directory) (default "./config.yml")
-h, --help help for helm-gopg
--package string Location of the packaged Helm chart (.tgz)
--signer.pgp.passphrase string Passphrase for the private key.
--signer.pgp.private-key string Path to the private key file.
--signer.pgp.public-key string Path to the public key file.
--signer.type string The type of signer to use. Supported values are 'pgp'. Default is 'pgp'
--stdout Write the signed package only to stdout
Use "helm-gopg [command] --help" for more information about a command.
The following is the minimum set of options to run the signer.
$ helm-gopg sign --package <package> --signer.pgp.passphrase <passphrase> --signer.pgp.private-key <private-key>
The Helm package and the provenance file can be verified using
$ helm-gopg verify --package <package> --signer.pgp.public-key <public-key>
The contents of this repository is provided as-is under the terms of the Apache 2.0 License.