Verify Helm charts
All Gloo Platform Helm charts are packaged and signed with a key pair. During the signing process, a provenance record is created and stored alongside each packaged Helm chart. Before you install or update a Helm chart in your environment, you can use the public signature key and provenance record to verify the integrity and origin of a Helm chart.
You can verify Gloo Platform Helm charts at version 2.3.1 or later.
Before you begin
Install GNU Privacy Guard (GPG) to read the signature key and perform the validation and verification of your Helm chart. For example in macOS, you can run
brew gpg to install the tool.
Verify Gloo Platform Helm charts
Add and update the Helm repository for Gloo Platform.
helm repo add gloo-platform https://storage.googleapis.com/gloo-platform/helm-charts helm repo update
Download the Helm charts to your local machine.
helm pull gloo-platform/gloo-platform --version 2.3.4 --prov helm pull gloo-platform/gloo-platform-crds --version 2.3.4 --prov
Get the public signature key that you use to verify the Helm chart.
curl -0L https://storage.googleapis.com/gloo-platform/helm-charts/signing.pub.asc > signing.pub.asc
Import the signature into gpg.
gpg --import signing.pub.asc
Convert the key into a format that Helm supports.
gpg --export > ~/.gnupg/pubring.gpg
Verify the Helm chart signature. If the verification fails, the Helm chart that you downloaded might be tampered. Remove and re-add your Helm repositories, and pull the latest Helm chart versions. Then, validate the signature again.
helm verify gloo-platform-2.3.4.tgz helm verify gloo-platform-crds-2.3.4.tgz
Example output a successfully verified Helm chart:
Signed by: Solo.io (https://solo.io) <firstname.lastname@example.org> Using Key With Fingerprint: A0D4624748D567B679A9C25B5C83FFE0F63A2128 Chart Hash Verified: sha256:1dd71b8688f2d52386ca5b3582b94c3195e67a1f30f83dbd15cd652cff4e1fe8
Example output if verification for a Helm chart fails:
Error: openpgp: invalid signature: ECDSA verification failure