Join GitHub today
Adding PGP signing to the release process #5320
bacongobbler left a comment
looks good to me! One comment about CHECKSUM_VAL, otherwise this seems like a good process to follow for the time being.
I wish we could sign the release assets during the CI process, but I understand storing private keys in Circle may be a security risk. Do you think it's worth generating a "Helm CI" shared PGP key that signs release assets right in the CI pipeline, or would that be an anti-pattern for signing releases?
@bacongobbler When it comes to signing keys open source projects usually have the people control them. Companies will tend to have signing processes that are tightly controlled so they can highly control their keys. I don't think we should put our signing keys into another companies CI.
The apache foundation has written up a bunch on signing releases for anyone who wants to read about it over at https://www.apache.org/dev/release-signing