github.com/koderover/helm@v2.17.0+incompatible/pkg/provenance/doc.go (about) 1 /* 2 Copyright The Helm Authors. 3 Licensed under the Apache License, Version 2.0 (the "License"); 4 you may not use this file except in compliance with the License. 5 You may obtain a copy of the License at 6 7 http://www.apache.org/licenses/LICENSE-2.0 8 9 Unless required by applicable law or agreed to in writing, software 10 distributed under the License is distributed on an "AS IS" BASIS, 11 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 See the License for the specific language governing permissions and 13 limitations under the License. 14 */ 15 16 /*Package provenance provides tools for establishing the authenticity of a chart. 17 18 In Helm, provenance is established via several factors. The primary factor is the 19 cryptographic signature of a chart. Chart authors may sign charts, which in turn 20 provide the necessary metadata to ensure the integrity of the chart file, the 21 Chart.yaml, and the referenced Docker images. 22 23 A provenance file is clear-signed. This provides cryptographic verification that 24 a particular block of information (Chart.yaml, archive file, images) have not 25 been tampered with or altered. To learn more, read the GnuPG documentation on 26 clear signatures: 27 https://www.gnupg.org/gph/en/manual/x135.html 28 29 The cryptography used by Helm should be compatible with OpenGPG. For example, 30 you should be able to verify a signature by importing the desired public key 31 and using `gpg --verify`, `keybase pgp verify`, or similar: 32 33 $ gpg --verify some.sig 34 gpg: Signature made Mon Jul 25 17:23:44 2016 MDT using RSA key ID 1FC18762 35 gpg: Good signature from "Helm Testing (This key should only be used for testing. DO NOT TRUST.) <helm-testing@helm.sh>" [ultimate] 36 */ 37 package provenance // import "k8s.io/helm/pkg/provenance"