sigstore / helm-sigstore Goto Github PK
View Code? Open in Web Editor NEWPlugin for Helm to integrate the sigstore ecosystem
License: Apache License 2.0
Plugin for Helm to integrate the sigstore ecosystem
License: Apache License 2.0
This issue was automatically created by Allstar.
Security Policy Violation
Dismiss stale reviews not configured for branch main
Block force push not configured for branch main
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
Description
The helm plugin install does not support M1 Macs without install via go/make.
helm plugin install https://github.com/sigstore/helm-sigstore
Installing helm sigstore plugin
No prebuild binary for darwin-arm64.
Failed to install helm-sigstore
For support, go to https://github.com/sigstore/helm-sigstore.
Error: plugin install hook for "sigstore" exited with error
Jamess-MBP-2:tekton-helm-chart strongjz$
Go/Make install works fine
make
CGO_ENABLED=0 go build -trimpath -ldflags "-X github.com/sigstore/helm-sigstore/cmd.gitVersion=v0.1.3-3-gb2f9d36 -X github.com/sigstore/helm-sigstore/cmd.gitCommit=b2f9d365930e48f7e241fada51c3e703e4e81257 -X github.com/sigstore/helm-sigstore/cmd.gitTreeState="clean" -X github.com/sigstore/helm-sigstore/cmd.buildDate='2022-01-31T14:01:58Z'" -o '/Users/strongjz/Documents/code/go/src/github.com/sigstore/helm-sigstore/bin/helm-sigstore' .
go: downloading github.com/go-openapi/runtime v0.22.0
go: downloading github.com/go-openapi/swag v0.20.0
go: downloading github.com/sigstore/rekor v0.2.1-0.20210719011743-12077f5d7382
go: downloading golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
go: downloading github.com/sigstore/sigstore v0.0.0-20210713222344-1fee53516622
go: downloading golang.org/x/mod v0.5.0
go: downloading github.com/go-playground/universal-translator v0.17.0
go: downloading go.uber.org/atomic v1.8.0
go: downloading golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b
go: downloading github.com/go-playground/locales v0.13.0
go: downloading golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d
go: downloading github.com/theupdateframework/go-tuf v0.0.0-20210630170422-22a94818d17b
go: downloading github.com/google/go-containerregistry v0.5.1
Jamess-MBP-2:helm-sigstore strongjz$ helm plugin list
NAME VERSION DESCRIPTION
sigstore 0.1.3 This plugin integrates Helm into the Sigstore ecosystem.
Description
there are no tests currently. would be good if there's some integration tests to make sure everything is OK to demo the usage.
Description
Context: I was investigating unused types in sigstore/rekor#2080, and helm had some usage but not a significant amount. One of the blockers to deprecating support would be to migrate over any Sigstore clients away from the deprecated kinds.
helm-sigstore uploads helm
kinds here. Instead, we can switch to uploading hashedrekord
kinds. It would be straightforward to do - Instead of uploading the chart, you would upload a) a hash of the chart, b) the pgp signature, c) the pgp key. Verification would change from verifying the helm entry to verifying the hashedrekord entry.
There is a blocker on Rekor's side, as we only support public keys or certificates for hashedrekord records currently. It would be straightforward for us to add support, as we do in rekord already.
Description
Per golang/go#44226 golang.org/x/crypto/openpgp
is now frozen and deprecated. We should look to switch to a different implementation to ensure we stay up to date as best we can with this technology.
similar to sigstore/rekor#286
Description
Hi, I am Joyce, working on behalf of Google and the Open Source Security Foundation (OpenSSF) to help open source projects to improve their supply chain security.
I would like to offer help to config helm-sigstore's builds to generate a SLSA Level 3 Provenance. The Supply chain Levels for Software Artifacts, or SLSA (salsa) aims to improve security in the build process, to do that it has defined 4 levels of build integrity.
I would suggest, since it seems you already user goreleaser to build and release on github, to use the SLSA Go Builder which do the same as the goreleaser but also generates and sign the artifacts, besides being a Level 3 build process.
Are you open to a PR with these changes?
It could also contain changes on the README with:
Update the build and release process to use goreleaser
Description
As far as I can see there is currently no obvious way to use keyless signed, which is usually supported by cosing. Is it possible to add this feature?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.