[Gatekeeper Library] Verifying packages on Artifact Hub #1155

dkubicahitachi · 2023-05-02T10:47:41Z

Verifying packages
Why are helm packages not signed?

As the helm documentation says:
"Reasons a chart may not verify
These are common reasons for failure.

The .prov file is missing or corrupt. This indicates that something is misconfigured or that the original maintainer did not create a provenance file.
The key used to sign the file is not in your keyring. This indicate that the entity who signed the chart is not someone you've already signaled that you trust.
The verification of the .prov file failed. This indicates that something is wrong with either the chart or the provenance data.
The file hashes in the provenance file do not match the hash of the archive file. This indicates that the archive has been tampered with.

If a verification fails, there is reason to distrust the package."

helm upgrade csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --verify --debug
Error: failed to fetch provenance "https://Azure.github.io/secrets-store-csi-driver-provider-azure/charts/csi-secrets-store-provider-azure-1.0.1.tgz.prov"

Can you add signed packages to the repository?

Environment:

The text was updated successfully, but these errors were encountered:

dkubicahitachi added the enhancement New feature or request label May 2, 2023

nilekhc self-assigned this Aug 1, 2023

bridgetkromhout changed the title ~~Verifying packages~~ Verifying packages on Artifact Hub Jul 2, 2024

nilekhc changed the title ~~Verifying packages on Artifact Hub~~ [Gatekeeper Library] Verifying packages on Artifact Hub Jul 2, 2024

bridgetkromhout assigned JaydipGabani and unassigned nilekhc Aug 13, 2024

Provide feedback