Verify legacy Helm charts

All legacy Helm charts are packaged and signed with a key pair. During the signing process, a provenance record is created and stored alongside each packaged Helm chart. Before you install or update a Helm chart in your environment, you can use the public signature key and provenance record to verify the integrity and origin of a Helm chart.

You can verify legacy Helm charts at version 2.3.1 or later.

Before you begin

Install GNU Privacy Guard (GPG) to read the signature key and perform the validation and verification of your Helm chart. For example in macOS, you can run brew gpg to install the tool.

Verify legacy Helm charts

  1. Add and update the Helm repository for the gloo-mesh-enterprise Helm chart.

    helm repo add gloo-mesh-enterprise https://storage.googleapis.com/gloo-mesh-enterprise/gloo-mesh-enterprise
    helm repo update 
    
  2. Add and update the Helm repository for the gloo-mesh-crds Helm chart.

    helm repo add gloo-mesh-crds https://storage.googleapis.com/gloo-mesh-enterprise/gloo-mesh-crds
    helm repo update 
    
  3. Add and update the Helm repository for the gloo-mesh-agent Helm chart.

    helm repo add gloo-mesh-agent https://storage.googleapis.com/gloo-mesh-enterprise/gloo-mesh-agent
    helm repo update 
    
  4. Download the Helm charts to your local machine.

    helm pull gloo-mesh-enterprise/gloo-mesh-enterprise --version 2.3.4 --prov
    helm pull gloo-mesh-crds/gloo-mesh-crds --version 2.3.4 --prov 
    helm pull gloo-mesh-agent/gloo-mesh-agent --version 2.3.4 --prov
    
  5. Get the public signature key that you use to verify the Helm chart.

    curl -0L https://storage.googleapis.com/gloo-mesh-enterprise/signing.pub.asc > signing.pub.asc
    
  6. Import the signature into gpg.

    gpg --import signing.pub.asc
    
  7. Convert the key into a format that Helm supports.

    gpg --export > ~/.gnupg/pubring.gpg
    
  8. Verify the Helm chart signature. If the verification fails, the Helm chart that you downloaded might be tampered. Remove and re-add your Helm repositories, and pull the latest Helm chart versions. Then, validate the signature again.

    helm verify gloo-mesh-enterprise-2.3.4.tgz
    helm verify gloo-mesh-crds-2.3.4.tgz
    helm verify gloo-mesh-agent-2.3.4.tgz
    

    Example output a successfully verified Helm chart:

    Signed by: Solo.io (https://solo.io) <info@solo.io>
    Using Key With Fingerprint: A0D4624748D567B679A9C25B5C83FFE0F63A2128
    Chart Hash Verified: sha256:1dd71b8688f2d52386ca5b3582b94c3195e67a1f30f83dbd15cd652cff4e1fe8
    

    Example output if verification for a Helm chart fails:

    Error: openpgp: invalid signature: ECDSA verification failure