├── LICENSE.txt ├── README.md ├── gpg.sh └── plugin.yaml /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Helm GPG Plugin 2 | Copyright (C) 2016, Matt Butcher 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a copy 5 | of this software and associated documentation files (the "Software"), to deal 6 | in the Software without restriction, including without limitation the rights 7 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 | copies of the Software, and to permit persons to whom the Software is 9 | furnished to do so, subject to the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be included in 12 | all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 17 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 20 | THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Helm GPG (GnuPG) Plugin 2 | 3 | Helm has the ability to cryptographically sign and verify charts. This plugin 4 | provides integration with GnuPG, making it easier to use than the default 5 | `helm` signing and verifying commands. It is also more secure, since it supports 6 | passphrase-encrypted keys. 7 | 8 | It offers two operations: 9 | 10 | - sign: Sign a chart with a key 11 | - verify: Verify a signed chart with your keyring 12 | 13 | Also check out the [Helm Keybase](https://github.com/technosophos/helm-keybase) plugin. 14 | 15 | ## Installation 16 | 17 | You must have GnuPG's command line client (`gpg`) installed and configured. 18 | 19 | ```console 20 | $ helm plugin install https://github.com/technosophos/helm-gpg 21 | ``` 22 | 23 | 24 | -------------------------------------------------------------------------------- /gpg.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | usage() { 6 | cat << EOF 7 | GnuPG integration with Helm 8 | 9 | This provides integration with 'gpg', the command line tool for working with 10 | GnuPG. 11 | 12 | Available Commands: 13 | sign Sign a chart archive (tgz file) with a GPG key 14 | verify Verify a chart archive (tgz + tgz.prov) with your GPG keyring 15 | 16 | EOF 17 | } 18 | 19 | sign_usage() { 20 | cat << EOF 21 | Sign a chart using GnuPG credentials. 22 | 23 | This is an alternative to 'helm sign'. It uses your gpg credentials 24 | to sign a chart. 25 | 26 | Example: 27 | $ helm gpg sign foo-0.1.0.tgz 28 | 29 | EOF 30 | } 31 | 32 | verify_usage() { 33 | cat << EOF 34 | Verify a chart 35 | 36 | This is an alternative to 'helm verify'. It uses your gpg credentials 37 | to verify a chart. 38 | 39 | Example: 40 | $ helm gpg verify foo-0.1.0.tgz 41 | 42 | In typical usage, use 'helm fetch --prov' to fetch a chart: 43 | 44 | $ helm fetch --prov upstream/wordpress 45 | $ helm gpg verify wordpress-1.2.3.tgz 46 | $ helm install ./wordpress-1.2.3.tgz 47 | 48 | EOF 49 | } 50 | 51 | is_help() { 52 | case "$1" in 53 | "-h") 54 | return 0 55 | ;; 56 | "--help") 57 | return 0 58 | ;; 59 | "help") 60 | return 0 61 | ;; 62 | *) 63 | return 1 64 | ;; 65 | esac 66 | } 67 | 68 | sign() { 69 | if is_help $1 ; then 70 | sign_usage 71 | return 72 | fi 73 | chart=$1 74 | echo "Signing $chart" 75 | shasum=$(openssl dgst -sha256 $chart| awk '{ print $2 }') 76 | chartyaml=$(tar -zxf $chart --exclude 'charts/' -O '*/Chart.yaml') 77 | c=$(cat << EOF 78 | $chartyaml 79 | 80 | ... 81 | files: 82 | $chart: sha256:$shasum 83 | EOF 84 | ) 85 | keyuser="" 86 | if [ "$keyname" != "" ]; then 87 | keyuser="-u $keyname" 88 | fi 89 | echo "$c" | gpg --clearsign -o "$chart.prov" $keyuser 90 | } 91 | 92 | verify() { 93 | if is_help $1 ; then 94 | verify_usage 95 | return 96 | fi 97 | chart=$1 98 | gpg --verify ${chart}.prov 99 | 100 | # verify checksum 101 | sha=$(shasum $chart) 102 | set +e 103 | grep "$chart: sha256:$sha" ${chart}.prov > /dev/null 104 | if [ $? -ne 0 ]; then 105 | echo "ERROR SHA verify error: sha256:$sha does not match ${chart}.prov" 106 | return 3 107 | fi 108 | set -e 109 | echo "plugin: Chart SHA verified. sha256:$sha" 110 | } 111 | 112 | shasum() { 113 | openssl dgst -sha256 "$1" | awk '{ print $2 }' 114 | } 115 | 116 | if [[ $# < 1 ]]; then 117 | usage 118 | exit 1 119 | fi 120 | 121 | if ! type "gpg" > /dev/null; then 122 | echo "Command like 'gpg' client must be installed" 123 | exit 1 124 | fi 125 | 126 | case "${1:-"help"}" in 127 | "sign"): 128 | if [[ $# < 2 ]]; then 129 | push_usage 130 | echo "Error: Chart package required." 131 | exit 1 132 | fi 133 | shift 134 | # Name of the key to use. Overridden by -u 135 | keyname="" 136 | # Options, expected after verb 137 | while [ "$1" != "" ]; do 138 | case $1 in 139 | -u | --local-user) 140 | keyname=$2 141 | echo "Setting keyname to $keyname" 142 | shift 2 143 | ;; 144 | *) 145 | break 146 | ;; 147 | esac 148 | done 149 | sign $1 $keyname 150 | ;; 151 | "verify"): 152 | if [[ $# < 2 ]]; then 153 | verify_usage 154 | echo "Error: Chart package required." 155 | exit 1 156 | fi 157 | verify $2 158 | ;; 159 | "help") 160 | usage 161 | ;; 162 | "--help") 163 | usage 164 | ;; 165 | "-h") 166 | usage 167 | ;; 168 | *) 169 | usage 170 | exit 1 171 | ;; 172 | esac 173 | 174 | exit 0 175 | -------------------------------------------------------------------------------- /plugin.yaml: -------------------------------------------------------------------------------- 1 | name: "gpg" 2 | version: "0.1.0" 3 | usage: "Integreate GnuPG tools with Helm" 4 | description: |- 5 | This plugin provides GnuPG services to Helm. 6 | command: "$HELM_PLUGIN_DIR/gpg.sh" 7 | --------------------------------------------------------------------------------