Sign the chart [ONPREM-440] (#64)

CircleCI-Public · Jul 12, 2024 · 6ee8af5 · 6ee8af5
1 parent 3ecd05f
commit 6ee8af5
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 3 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -8,7 +8,8 @@ workflows:
     jobs:
       - validate
       - check_readme
-      - package
+      - package:
+          context: runner-signing
       - smoke-tests:
           context: runner-deploy
           requires: [ validate ]
@@ -97,7 +98,26 @@ jobs:
       - checkout
       - attach_workspace:
           at: .
-      - run: ./do package
+      - run:
+          name: "Install signing keys"
+          command: |
+            exec 2>/dev/null
+
+            echo "Importing signing keys"
+            echo -n "${SIGNING_KEY_ENCODED}" | base64 --decode >signing_key_decoded.key
+            gpg --batch --yes --passphrase "${SIGNING_KEY_PASSPHRASE}" --import signing_key_decoded.key
+            rm signing_key_decoded.key
+            curl https://keys.openpgp.org/vks/v1/by-fingerprint/"${GPG_ID}" >pub-key.asc
+            gpg --import pub-key.asc
+            rm pub-key.asc
+
+            echo "Convert to legacy gpg format per Helm requirements"
+            gpg --export >~/.gnupg/pubring.gpg
+            gpg --batch --yes --pinentry-mode=loopback --passphrase "${SIGNING_KEY_PASSPHRASE}" --export-secret-keys "${GPG_ID}" >~/.gnupg/secring.gpg
+      - run:
+          name: "Package and sign chart"
+          command: |
+            echo "${SIGNING_KEY_PASSPHRASE}" | ./do package sign --passphrase-file -
       - persist_to_workspace:
           root: .
           paths: [ ./target ]

diff --git a/changelog.md b/changelog.md
@@ -2,6 +2,7 @@
 
 # Edge
 
+[#64](https://github.com/CircleCI-Public/container-runner-helm-chart/pull/64) Start signing the Helm chart to ensure provenance: https://helm.sh/docs/topics/provenance/
 [#59](https://github.com/CircleCI-Public/container-runner-helm-chart/pull/59) Fix service container config example & update test
 
 # 101.1.1

diff --git a/do b/do
@@ -29,8 +29,24 @@ package() {
     mkdir -p target
     cd target
 
+    local arg="${1:-}"
+    if [ -n "${arg}" ]; then
+        shift
+    fi
+
     echo 'Package Helm chart'
-    helm package ..
+    case ${arg} in
+    "sign")
+        echo 'Sign Helm chart'
+        # shellcheck disable=SC2086
+        helm package --sign --key "${KEY:-<eng-on-prem@circleci.com>}" --keyring ${KEYRING:-~/.gnupg/secring.gpg} .. "$@"
+        echo 'Verify Helm chart signature'
+        helm verify ./container-agent-*.tgz
+        ;;
+    *)
+        helm package ..
+        ;;
+    esac
 
     echo 'Check contents of Helm package'
     ls .
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,7 @@ @@
     # Edge
+    [#64](https://github.com/CircleCI-Public/container-runner-helm-chart/pull/64) Start signing the Helm chart to ensure provenance: https://helm.sh/docs/topics/provenance/
     [#59](https://github.com/CircleCI-Public/container-runner-helm-chart/pull/59) Fix service container config example & update test
     # 101.1.1
@@ Expand Down @@