Add support for GPG signing

cr/cmd/package.go

@@ -15,8 +15,11 @@
 package cmd
 
 import (
+	"path/filepath"
+
 	"github.com/helm/chart-releaser/pkg/config"
 	"github.com/helm/chart-releaser/pkg/packager"
+	"github.com/mitchellh/go-homedir"
 	"github.com/spf13/cobra"
 )
 
@@ -52,6 +55,15 @@ func getRequiredPackageArgs() []string {
 }
 
 func init() {
+	dir, err := homedir.Dir()
+	if err != nil {
+		panic(err)
+	}
+
 	rootCmd.AddCommand(packageCmd)
 	packageCmd.Flags().StringP("package-path", "p", ".cr-release-packages", "Path to directory with chart packages")
+	packageCmd.Flags().Bool("sign", false, "Use a PGP private key to sign this package")
+	packageCmd.Flags().String("key", "", "Name of the key to use when signing")
+	packageCmd.Flags().String("keyring", filepath.Join(dir, ".gnupg", "pubring.gpg"), "Location of a public keyring")
+	packageCmd.Flags().String("passphrase-file", "", "Location of a file which contains the passphrase for the signing key. Use '-' in order to read from stdin")
 }

go.mod

@@ -3,32 +3,34 @@ module github.com/helm/chart-releaser
 go 1.14
 
 require (
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.1 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.3 // indirect
 	github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect
 	github.com/Songmu/retry v0.1.0
-	github.com/google/go-cmp v0.5.0 // indirect
+	github.com/google/go-cmp v0.5.2 // indirect
 	github.com/google/go-github/v30 v30.0.0
 	github.com/goreleaser/goreleaser v0.129.0
+	github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/magefile/mage v1.10.0
 	github.com/mattn/go-colorable v0.1.7 // indirect
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/onsi/ginkgo v1.13.0 // indirect
 	github.com/pkg/errors v0.9.1
-	github.com/sirupsen/logrus v1.6.0 // indirect
+	github.com/rogpeppe/go-internal v1.6.0 // indirect
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.7.0
+	github.com/spf13/viper v1.7.1
 	github.com/stretchr/testify v1.6.1
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/tools v0.0.0-20200724022722-7017fd6b1305
+	golang.org/x/tools v0.0.0-20200812195022-5ae4c3c160a0
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
-	helm.sh/helm/v3 v3.1.2
-	honnef.co/go/tools v0.0.1-2020.1.4 // indirect
-	rsc.io/letsencrypt v0.0.3 // indirect
+	helm.sh/helm/v3 v3.4.0-rc.1
+	honnef.co/go/tools v0.0.1-2020.1.5 // indirect
+	rsc.io/letsencrypt v0.0.3 // indirect; indirect)
 )
 
 exclude (

pkg/config/config.go

@@ -43,6 +43,10 @@ type Options struct {
 	ChartsRepo          string `mapstructure:"charts-repo"`
 	IndexPath           string `mapstructure:"index-path"`
 	PackagePath         string `mapstructure:"package-path"`
+	Sign                bool   `mapstructure:"sign"`
+	Key                 string `mapstructure:"key"`
+	KeyRing             string `mapstructure:"keyring"`
+	PassphraseFile      string `mapstructure:"passphrase-file"`
 	Token               string `mapstructure:"token"`
 	GitBaseURL          string `mapstructure:"git-base-url"`
 	GitUploadURL        string `mapstructure:"git-upload-url"`

pkg/packager/packager.go

@@ -40,7 +40,14 @@ func NewPackager(config *config.Options, paths []string) *Packager {
 // CreatePackages creates Helm chart packages
 func (p *Packager) CreatePackages() error {
 	helmClient := action.NewPackage()
+	helmClient.DependencyUpdate = true
 	helmClient.Destination = p.config.PackagePath
+	if p.config.Sign {
+		helmClient.Sign = true
+		helmClient.Key = p.config.Key
+		helmClient.Keyring = p.config.KeyRing
+		helmClient.PassphraseFile = p.config.PassphraseFile
+	}
 
 	for i := 0; i < len(p.paths); i++ {
 		path, err := filepath.Abs(p.paths[i])

pkg/packager/packager_test.go

@@ -18,58 +18,79 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
 	"github.com/helm/chart-releaser/pkg/config"
 )
 
 func TestPackager_CreatePackages(t *testing.T) {
 	packagePath, _ := ioutil.TempDir(".", "packages")
 	invalidPackagePath := filepath.Join(packagePath, "bad")
 	file, _ := os.Create(invalidPackagePath)
-	defer file.Close()
-	defer os.RemoveAll(packagePath)
+	t.Cleanup(func() {
+		file.Close()
+		os.RemoveAll(packagePath)
+	})
+
 	tests := []struct {
-		name        string
-		chartPath   string
-		packagePath string
-		error       bool
+		name      string
+		chartPath string
+		options   *config.Options
+		error     bool
 	}{
 		{
-			"valid-chart-path",
-			"testdata/test-chart",
-			packagePath,
-			false,
+			name:      "valid-chart-path",
+			chartPath: "testdata/test-chart",
+			options:   &config.Options{PackagePath: packagePath},
+			error:     false,
+		},
+		{
+			name:      "invalid-package-path",
+			chartPath: "testdata/test-chart",
+			options:   &config.Options{PackagePath: invalidPackagePath},
+			error:     true,
 		},
 		{
-			"invalid-package-path",
-			"testdata/test-chart",
-			invalidPackagePath,
-			true,
+			name:      "invalid-chart-path",
+			chartPath: "testdata/invalid-chart",
+			options:   &config.Options{PackagePath: packagePath},
+			error:     true,
 		},
 		{
-			"invalid-chart-path",
-			"testdata/invalid-chart",
-			packagePath,
-			true,
+			name:      "valid-chart-path-with-provenance",
+			chartPath: "testdata/test-chart",
+			options: &config.Options{
+				PackagePath:    packagePath,
+				Sign:           true,
+				Key:            "Chart Releaser Test Key <no-reply@example.com>",
+				KeyRing:        "testdata/testkeyring.gpg",
+				PassphraseFile: "testdata/passphrase-file.txt",
+			},
+			error: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Cleanup(func() {
+				os.Remove(filepath.Join(packagePath, "test-chart-0.1.0.tgz"))
+				os.Remove(filepath.Join(packagePath, "test-chart-0.1.0.tgz.prov"))
+			})
+
 			p := &Packager{
-				paths:  strings.Split(tt.chartPath, ","),
-				config: &config.Options{PackagePath: tt.packagePath},
+				paths:  []string{tt.chartPath},
+				config: tt.options,
 			}
 			err := p.CreatePackages()
-
 			if tt.error {
-				if err == nil {
-					t.Error()
-				}
+				require.Error(t, err)
 			} else {
-				if err != nil {
-					t.Error()
+				require.NoError(t, err)
+				assert.FileExists(t, filepath.Join(tt.options.PackagePath, "test-chart-0.1.0.tgz"))
+				if tt.options.Sign {
+					assert.FileExists(t, filepath.Join(tt.options.PackagePath, "test-chart-0.1.0.tgz.prov"))
 				}
 			}
 		})

pkg/packager/testdata/passphrase-file.txt

@@ -0,0 +1 @@
+secret