Problem:

There is not way today to verify the signature of a signed chart in ODC. Also, even if the chart is signed there is no mechanism to manage the public key and the provenance file that correlates to the helm chart package

Goal:

Provide a way to distinguish between signed charts and unsigned charts.
For signed charts provide a way to point to a public key store and verify the signature.

Why is it important?

Will enable users to verify chart signatures before installing a chart, will promote chart builders to sign their charts to provide owner identity, non-repudiation and additional integrity checks.

Use cases

As an OpenShift user I would like to be able to filer out charts that are signed vs charts that are not signed in the console
As an OpenShift user I would like to be able to verify the signatures of charts before I install them in the console.
As a RedHat partners I will like to make sure my chart signature can be verified during certification.
As a RedHat partner I will like to be able to provide my public key along side my signed chart so that it can be verified when installed from the console
As a RedHat associate I will like my chart to be automatically signed during certification

Acceptance criteria

1. ODC can verify signatures of charts
2. ODC can distinguish between helm charts that are signed and those that are not and be able to filter based on the distinction.
3. New check introduced in certification to verify signatures
4. New feature added to add public key in the report
5. New annotation added to index.yaml for those charts that are signed
6. New changes in HelmChartRepository and ProjectHelmChartRepository to include a list of gpg public keys spec.properties.signatureConfig.gpgPublicKeys
7. If chart cannot be verified because public key not found on Repo Config nor index.yaml annotations allow user to provide the public key for verification.
8. RedHat charts can be automatically signed by the certification flow.

Dependencies (External/Internal)

Will need to have chart verifier exposed as a library to be use in ODC with a specific profile just for ODC we decide.

Design Artifacts

The ideal approach for this will be if we can reuse chart verifier for both Certification Flow and for ODC Helm backend. Will also be ideal if we can start thinking about enabling oc helm plugin to have the same function set as ODC and make signature verification easier via our helm backend.

The main challenge for this feature is the ma management of the Public key. With GPG there is not predetermined way to share public keys. It can be done in a variety of ways. To be able to verify a signature a keyring needs to be created on the flight. For charts that are published in our chart.openshift.io index.yaml file we could add a new annotation for public key location which points to a publicly available http server or our release artifacts for the chart if the public key is provided in the certification PR. This will only cover out openshift helm chart repository for other repositories added to the cluster we can add a new property in our CRDs, i.e. spec.properties.signatureConfig.gpgPublicKeys where the developer or admin creating the repository can provide a list of gpg public keys to be able to build a keyring when verifying the signature.

The code logic should take into account both sources of public keys: the index.yaml and both the HelmChartRepositories and ProjectHelmChartRepositories list of keys when building the keyring. Some repository may want to copy our approach with helm chart certification index.yaml items annotations.

Exploration

Note