GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories.
GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications
- GnuPG
- Generating Private/Public Keys with gpg
- Sign the Helm Package
- Export public key
- Verify Helm Package using Public Key
# Install gnupg on ubuntu
sudo apt-get update
sudo apt-get install -y gnupg# Verify version
gpg --version# Install gnupg on MacOS
brew install gnupg# Verify version
gpg --version# Install gnupg on WindowsOS
choco install gnupg# Verify version
gpg --version# Generating Private/Public Keys with gpg
gpg --full-generate-key
-> kind of key: Select 1 (1) RSA and RSA
-> What keysize do you want? (3072)
-> Please specify how long the key should be valid.
-> Key is valid for? (0) "0 = key does not expire"
-> Is this correct? (y/N)
-> Real name: helmsigndemo
-> Email address: naresh@gmail.com
-> Comment: Keys used to sign Helm Charts
-> Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
-> Passphrase: today@1234# List Keys
gpg --list-keys# Convert new secret keyring to old format
gpg --export-secret-keys >~/.gnupg/demo-privatekey.gpg
Passphrase: today@1234
Note:
1. To sign charts, Helm currently prefers the older format.
2. Convert the new secret keyring format to the old format and store it in a file called secring.# Verify if file created
ls ~/.gnupg/demo-privatekey.gpg# Copy the private key to a charts directory
mkdir -p $HOME/charts ; mkdir -p $HOME/charts/private-key ; mkdir -p $HOME/charts/public-key ; cd $HOME/charts
cp ~/.gnupg/demo-privatekey.gpg $HOME/charts/private-key/## add a helm chart to charts directory
helm repo add lerndevops https://lerndevops.github.io/helm-charts/
helm search repo lerndevops
helm pull lerndevops/sampleapp --version 0.2 --untar
# Export private key with single command (instead of export in .gnupg folder and copy to private-key folder)
cd $HOME/charts
gpg --export-secret-keys > private-key/demo-privatekey.gpg# Change Directory
cd $HOME/charts
# Sign & Package Helm Chart
helm package --sign --key 'helmsigndemo' --keyring private-key/demo-privatekey.gpg sampleapp/
Passphrase: today@1234# Verify the Provenance file created
ls -lrta $HOME/charts
1. We should find the file "sampleapp-0.2.tgz.prov" ending with ".prov"- Verify integrity of chart using public key
- In real-world scenario, these public keys will be published on keyservers (keyserver.ubuntu.com, keyserver.openpgp.com)
- We should download these public keys to verify the integrity of the chart.
# Change to Directory
cd $HOME/charts
# Export Public Key
gpg --export 'helmsigndemo' > public-key/demo-publickey.gpg
# Verify if file created
ls public-key/demo-publickey.gpg# Change Directory
cd $HOME/charts
# Helm Verify
helm verify --keyring public-key/demo-publickey.gpg sampleapp-0.2.tgz
## Sample Output
Signed by: helmsigndemo (Keys used to sign Helm Charts) <naresh@gmail.com>
Using Key With Fingerprint: 6D60338C4C1DD80344F054579EBAD7E4471C77B1
Chart Hash Verified: sha256:7ec1e342fe69af153213751aac6172f2f9b5ec78666fc4eb7ef0248fdb6cc47b# Change Directory
cd $HOME/charts
# Helm Install with --verify
helm install sapp sampleapp-0.2.tgz --verify --keyring public-key/demo-publickey.gpg --atomic# List Helm Release
helm list
# Helm Status
helm status --show-resources# Helm Upgrade with --verify
helm upgrade sapp sampleapp-0.3.tgz --verify --keyring public-key/helmsigndemo1-publickey.gpg --atomic# Uninstall Helm Release
helm uninstall sapp# Change Directory
cd $HOME/charts
# Create some dummy file in public-key folder
touch public-key/dummy-publickey.gpg# Helm Install with --verify
helm install sapp sampleapp-0.2.tgz --verify --keyring public-key/dummy-publickey.gpg --atomicObservation:
1. Should throw an error as below
## Sample Output
Error: INSTALLATION FAILED: openpgp: signature made by unknown entity