From 6ee8af550fa1d916884e775f71aae9e2a9cd47b2 Mon Sep 17 00:00:00 2001
From: Chris Stephen <chris.stephen@circleci.com>
Date: Fri, 12 Jul 2024 17:07:15 -0300
Subject: [PATCH] Sign the chart [ONPREM-440] (#64)

---
 .circleci/config.yml | 24 ++++++++++++++++++++++--
 changelog.md         |  1 +
 do                   | 18 +++++++++++++++++-
 3 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 00cedcd..3dc251e 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -8,7 +8,8 @@ workflows:
     jobs:
       - validate
       - check_readme
-      - package
+      - package:
+          context: runner-signing
       - smoke-tests:
           context: runner-deploy
           requires: [ validate ]
@@ -97,7 +98,26 @@ jobs:
       - checkout
       - attach_workspace:
           at: .
-      - run: ./do package
+      - run:
+          name: "Install signing keys"
+          command: |
+            exec 2>/dev/null
+
+            echo "Importing signing keys"
+            echo -n "${SIGNING_KEY_ENCODED}" | base64 --decode >signing_key_decoded.key
+            gpg --batch --yes --passphrase "${SIGNING_KEY_PASSPHRASE}" --import signing_key_decoded.key
+            rm signing_key_decoded.key
+            curl https://keys.openpgp.org/vks/v1/by-fingerprint/"${GPG_ID}" >pub-key.asc
+            gpg --import pub-key.asc
+            rm pub-key.asc
+
+            echo "Convert to legacy gpg format per Helm requirements"
+            gpg --export >~/.gnupg/pubring.gpg
+            gpg --batch --yes --pinentry-mode=loopback --passphrase "${SIGNING_KEY_PASSPHRASE}" --export-secret-keys "${GPG_ID}" >~/.gnupg/secring.gpg
+      - run:
+          name: "Package and sign chart"
+          command: |
+            echo "${SIGNING_KEY_PASSPHRASE}" | ./do package sign --passphrase-file -
       - persist_to_workspace:
           root: .
           paths: [ ./target ]
diff --git a/changelog.md b/changelog.md
index cba8c74..b2fee45 100644
--- a/changelog.md
+++ b/changelog.md
@@ -2,6 +2,7 @@
 
 # Edge
 
+[#64](https://github.com/CircleCI-Public/container-runner-helm-chart/pull/64) Start signing the Helm chart to ensure provenance: https://helm.sh/docs/topics/provenance/
 [#59](https://github.com/CircleCI-Public/container-runner-helm-chart/pull/59) Fix service container config example & update test
 
 # 101.1.1
diff --git a/do b/do
index 8dc81a5..84dc0e2 100755
--- a/do
+++ b/do
@@ -29,8 +29,24 @@ package() {
     mkdir -p target
     cd target
 
+    local arg="${1:-}"
+    if [ -n "${arg}" ]; then
+        shift
+    fi
+
     echo 'Package Helm chart'
-    helm package ..
+    case ${arg} in
+    "sign")
+        echo 'Sign Helm chart'
+        # shellcheck disable=SC2086
+        helm package --sign --key "${KEY:-<eng-on-prem@circleci.com>}" --keyring ${KEYRING:-~/.gnupg/secring.gpg} .. "$@"
+        echo 'Verify Helm chart signature'
+        helm verify ./container-agent-*.tgz
+        ;;
+    *)
+        helm package ..
+        ;;
+    esac
 
     echo 'Check contents of Helm package'
     ls .