Description

Per golang/go#44226 golang.org/x/crypto/openpgp is now frozen and deprecated. We should look to switch to a different implementation to ensure we stay up to date as best we can with this technology.

similar to sigstore/rekor#286

Description

Context: I was investigating unused types in sigstore/rekor#2080, and helm had some usage but not a significant amount. One of the blockers to deprecating support would be to migrate over any Sigstore clients away from the deprecated kinds.

helm-sigstore uploads helm kinds here. Instead, we can switch to uploading hashedrekord kinds. It would be straightforward to do - Instead of uploading the chart, you would upload a) a hash of the chart, b) the pgp signature, c) the pgp key. Verification would change from verifying the helm entry to verifying the hashedrekord entry.

There is a blocker on Rekor's side, as we only support public keys or certificates for hashedrekord records currently. It would be straightforward for us to add support, as we do in rekord already.

Description

As far as I can see there is currently no obvious way to use keyless signed, which is usually supported by cosing. Is it possible to add this feature?

Description

Hi, I am Joyce, working on behalf of Google and the Open Source Security Foundation (OpenSSF) to help open source projects to improve their supply chain security.

I would like to offer help to config helm-sigstore's builds to generate a SLSA Level 3 Provenance. The Supply chain Levels for Software Artifacts, or SLSA (salsa) aims to improve security in the build process, to do that it has defined 4 levels of build integrity.

I would suggest, since it seems you already user goreleaser to build and release on github, to use the SLSA Go Builder which do the same as the goreleaser but also generates and sign the artifacts, besides being a Level 3 build process.

Are you open to a PR with these changes?

It could also contain changes on the README with:

• A SLSA Level 3 badge
• A brief paragraph to end-user know how to verify the artifact integrity using the provenance.

This issue was automatically created by Allstar.

Security Policy Violation
Dismiss stale reviews not configured for branch main
Block force push not configured for branch main

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Description

there are no tests currently. would be good if there's some integration tests to make sure everything is OK to demo the usage.

Update the build and release process to use goreleaser

Description

The helm plugin install does not support M1 Macs without install via go/make.

helm plugin install https://github.com/sigstore/helm-sigstore
Installing helm sigstore plugin
No prebuild binary for darwin-arm64.
Failed to install helm-sigstore
        For support, go to https://github.com/sigstore/helm-sigstore.
Error: plugin install hook for "sigstore" exited with error
Jamess-MBP-2:tekton-helm-chart strongjz$ 

Go/Make install works fine

 make
CGO_ENABLED=0 go build -trimpath -ldflags "-X github.com/sigstore/helm-sigstore/cmd.gitVersion=v0.1.3-3-gb2f9d36 -X github.com/sigstore/helm-sigstore/cmd.gitCommit=b2f9d365930e48f7e241fada51c3e703e4e81257 -X github.com/sigstore/helm-sigstore/cmd.gitTreeState="clean" -X github.com/sigstore/helm-sigstore/cmd.buildDate='2022-01-31T14:01:58Z'" -o '/Users/strongjz/Documents/code/go/src/github.com/sigstore/helm-sigstore/bin/helm-sigstore' .
go: downloading github.com/go-openapi/runtime v0.22.0
go: downloading github.com/go-openapi/swag v0.20.0
go: downloading github.com/sigstore/rekor v0.2.1-0.20210719011743-12077f5d7382
go: downloading golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
go: downloading github.com/sigstore/sigstore v0.0.0-20210713222344-1fee53516622
go: downloading golang.org/x/mod v0.5.0
go: downloading github.com/go-playground/universal-translator v0.17.0
go: downloading go.uber.org/atomic v1.8.0
go: downloading golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b
go: downloading github.com/go-playground/locales v0.13.0
go: downloading golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d
go: downloading github.com/theupdateframework/go-tuf v0.0.0-20210630170422-22a94818d17b
go: downloading github.com/google/go-containerregistry v0.5.1
Jamess-MBP-2:helm-sigstore strongjz$ helm plugin list
NAME            VERSION DESCRIPTION                                             
sigstore        0.1.3   This plugin integrates Helm into the Sigstore ecosystem.