Helm Charts to support the Sigstore project.
Charts are available in the following formats:
❤️ Planning to contribute? Please following our contributing guidelines to have your contribution smoothly flowing into this project.
The following command can be used to add the chart repository:
helm repo add sigstore https://sigstore.github.io/helm-charts
helm repo update
Once the chart has been added, install one of the available charts:
helm upgrade -i <release_name> sigstore/<chart_name>
Charts are also available in OCI format. The list of available charts can be found here.
Install one of the available charts:
helm upgrade -i oci://ghcr.io/sigstore/helm-charts/<chart_name> --version=<version>
Charts are signed using the provenance methods provided by the Helm project as well as uploaded to the Rekor transparency server using the Helm sigtore plugin.
Verification of the signed charts can be accomplished by importing the GPG Public Key that was used to sign the associated chart.
cat security/pubkey.gpg | gpg --import --batch
Once the public key has been imported, charts can be verified using the helm verify
and/or helm sigstore verify
commands.
NOTE: The public key that was used to sign a particular chart may not be identical to the public key on the main
branch. Each chart release has an associated git tag. The public key that was used to sign the particular chart will be included in this tag.