XML

Word

Printable

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: Helm
Labels:
- demo
- upstream-docs

Story Points:
5
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Support Chart Signature Verification on ODC backend
Git Pull Request:
https://github.com/redhat-certification/chart-verifier/pull/287, https://github.com/redhat-certification/chart-verifier/pull/285

Sprint:
AppSvc Sprint 225, AppSvc Sprint 226

SFDC Cases Links:
SFDC Cases Counter:

Owner: Architect:

David Peraza

Story (Required)

As a chart Verifier user, I will like to be able to see a signature verification check if my chart is signed, so that I can have more confidence on the chart integrity.

Background (Required)

Helm documentation explain the workflows for helm signature and verification. I a chart is signed today we ignore and do not verify the signature. A new check will be added to all profiles as optional for now. The new check will determine if a chart is signed. If is not signed the check will pass with message: signature verification not required. However if chart is signed it should verify the signature and the result will determine the pass or fail state. If the chart is signed but not public key provided, signature verification will fail with error: chart is signed by public key now provide.

Glossary

Out of scope

Integrating with certification flow nor ODC. This means we will need to create a new profile version, so that when we update the chart verifier version we don't necessarily bring that check.

In Scope

Approach(Required)

Follow approach described in Epic and using the principles to sign describe here: https://helm.sh/docs/topics/provenance/

Demo requirements(Required)

A great demo will show a chart that is sign passes the check and if I make changes to the chart or signature file the signature verification check will fail.

Dependencies

Edge Case

Acceptance Criteria

Can verify signature when chart signed and public key provided
Check will fail with right message if public key not provided
Check will fail with right message if chart is not signed(optional)
There are new test cases covering all the case for signature verification
Documentation: Yes (needs-docs|upstream-docs)

Upstream: The new check needs to be document like we do for other check. Also the interface update with a new option to pass in the public key

Downstream: Note required

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

blocks

HELM-427 Integrate chart signature verification in ODC

Backlog

HELM-411 Enable pgp key sharing through certification owners file

Closed

relates to

RHDEVDOCS-4515 [H] Need a note for downstream about "Helm Signature verification in chart verifier"

Closed

links to

openshift/api#1331: Changes to the crd for signature validation

Assignee:: Martin Mulholland

Reporter:: David Peraza

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2022/09/01 4:12 AM

Updated:: 2022/10/28 2:48 PM

Resolved:: 2022/10/28 2:48 PM

Details

Description