Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-8098

Explore Helm signing practices and design Argo CD mechanism

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • ArgoCD
    • None
    • GitOps Tangerine Sprint 26, GitOps Tangerine Sprint 27

      Consult existing practice to make sure argocd does a sane thing.

      Design the configuration and impl performing the verification.

      Explore (not a complete list):

      Quick Summary of Key Findings for Helm and OCI Source Integrity

      Helm Provenance

      • Helm charts uses `.prov` files for signing (Chart.yaml + SHA256 checksum + PGP signature)
      • Uses PGP/GnuPG - can reuse existing GPG key management (same as Git)
      • Verification checks:
        1. if signature is valid
        2. key can be trusted
        3. the checksum matches

      Repository Handling

      • Traditional repos: `.prov` file at ` {chart-url}.prov` (HTTP GET)
      • OCI repos:`.prov` file stored as {}separate layer{} in OCI manifest
        • MediaType: `application/vnd.cncf.helm.chart.provenance.v1.prov`
        • Automatically uploaded during `helm push` if `.prov` exists
        • Should be automatically fetched during `helm pull`

      Key Challenge

      • Helm requires {}uid substring{} (name/email) for `--key` parameter, NOT fingerprint
      • Argo CD stores keys by {}key ID (fingerprint){}
      • Solution needed: Map key ID → uid substring, or extract uid from keyring

      Integration

      • Verify in `util/helm/client.go:ExtractChart()` before extraction
      • Block sync if verification fails (same pattern as Git)

      OCI Cosign

      • OCI artifacts can be signed using cosign (sigstore)
      • Argo CD already uses cosign CLI for signing releases (keyless signing)
      • Signatures stored as separate OCI artifacts: `sha256-<digest>.sig`
      • Verification checks
        1. Signature exists - Signature artifact found in registry
        2. Signature valid - Cryptographic signature is valid (not corrupted)
        3. Key/certificate trusted - Signature made by configured public key or certificate identity
        4. Artifact integrity - Signature matches artifact digest (tampering detection)
        5. Transparency log (optional) - For keyless, verify signature in Rekor
          Verification Methods
      • Public key: PEM-encoded public keys
      • Keyless: Certificate identity + OIDC issuer (no keys needed)

      Key Management

      • New ConfigMap needed: `argocd-cosign-keys-cm` (different from GPG)
      • Cosign uses PEM-encoded keys (different format from GPG)
      • Cannot reuse GPG key management

      Integration

      • Verify in `util/oci/client.go` before using artifact
      • Need cosign Go library: `github.com/sigstore/cosign/v2`
      • Block sync if verification fails

      Design Decisions

      1. Helm: Reuse GPG key management (same as Git)
      2. OCI: New cosign key management needed (PEM keys)
      3. Policy Structure: Follow Git pattern (glob patterns, first match wins)
      4. Verification Modes:

        • Helm: `none` | `provenance`
        • OCI: `none` | `signature`

              rh-ee-atali Atif Ali
              ogondza@redhat.com Oliver Gondza
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: