Add GPG signature verification to install script

[jdolitsky]

The script fetches the KEYS file from GitHub, as well as the .asc files on the release and verifies the
release artifacts are signed by a valid key.

Added new boolean config options in the install script which allow for fine-grained control over verification and output:

• DEBUG: sets -x in the bash script (default: false)
• VERIFY_CHECKSUM: verifies checksum (default: true)
• VERIFY_SIGNATURE: verifies signature (default: true)

Also reduced check for curl/wget to only one time.

Resolves #7943.
Resolves #7838.

[jdolitsky]

I'm wondering if I should push the GPG output into /dev/null? Turns the output of the script from just 3 lines to ~30 and displays all the maintainers emails ... maybe only if DEBUG is enabled, show GPG output?

[jdolitsky]

I've silenced the GPG output unless DEBUG=true, now the output looks like this:

$ VERIFY_SIGNATURES=true scripts/get-helm-3
Downloading https://get.helm.sh/helm-v3.1.2-darwin-amd64.tar.gz
Verifying checksum... Done.
Verifying signatures... Done.
Preparing to install helm into /usr/local/bin
helm installed into /usr/local/bin/helm

[jdolitsky]

Modified the script. No longer auto-imports KEYS file, just expects you've done this prior to running the script.

[mattfarina]

This is going to add the keys to the users active GPG keyring. The gpg verification below will use these keys plus all the other keys in the keyring to look for a good signature.

The gpg keys from the Helm project should not be imported into the users keyring. Instead, a keyring only containing the Helm maintainers should be created, used for verification, and deleted afterwards as part of cleanup. This script should not try to use keys in the users existing keyring and should not alter their environment.

The linux kernel script does this. You can look at it for ideas... https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball

[jdolitsky]

This script should not try to use keys in the users existing keyring and should not alter their environment.

Alright. Thanks for the example script.

So then, should we modify this to take a filepath to a .asc file? Or auto-fetch KEYS file?

[jdolitsky]

I think what you're saying is at odds with @bacongobbler 's suggestion?

[bacongobbler]

yes and no. I wasn't aware that the process was to create a separate keyring as opposed to using your existing keyring, but I fully agree that these keys shouldn't be added to the user's keyring using either approach.

If that's the recommendation at the linux kernel, then that should work for us.

[mattfarina]

It's possible to have a separate keyring used for gpg verification calls. It's a couple steps to set it up. We should make it so the only keys in the keyring are those from the maintainers. This way the good verification can only come from that set of keys and not any key in the users personal keyring.

[bacongobbler]

One more nitpick, then this looks good!

><> export VERIFY_SIGNATURES=true
><> ./get-helm-3 
Helm v3.2.0 is available. Changing from version v3.1.2.
Downloading https://get.helm.sh/helm-v3.2.0-darwin-amd64.tar.gz
Verifying checksum... Done.
Verifying signatures... Done.
Preparing to install helm into /usr/local/bin
Password: ^C
Failed to install helm
	For support, go to https://github.com/helm/helm.

[jdolitsky]

@bacongobbler @mattfarina this should be good to go now.

Running into an issue on Mac, which I will file once this is closed:

gpg: can't connect to the agent: IPC connect call failed

Appears to be fixed if the temp gpg home is somewhere under the users home? The ownership on the temp dir seem find.. Found some conversation about it here: https://sourceforge.net/p/macgpg/mailman/message/18850673/

So for now, I've put a check in place which requires Linux if using VERIFY_SIGNATURES=true (false by default)

For proof this isnt messing with the user's active keyring:

$ gpg --list-keys | grep ^pub | wc -l
0

$ curl -s https://keybase.io/jdolitsky/pgp_keys.asc | gpg --import 2>/dev/null

$ gpg --list-keys | grep ^pub | wc -l
1

$ VERIFY_SIGNATURES=true scripts/get-helm-3
Downloading https://get.helm.sh/helm-v3.2.0-linux-amd64.tar.gz
Verifying checksum... Done.
Verifying signatures... Done.
Preparing to install helm into /usr/local/bin
helm installed into /usr/local/bin/helm

$ gpg --list-keys | grep ^pub | wc -l
1

[jdolitsky]

this strange grep + line count check was taken directly from the linux kernel script https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball#n164

[jdolitsky]

@mattfarina @bacongobbler want to try to get this into the install script for 3.3?

[bacongobbler]

why only linux support when there's native gpg support for MacOS? Can you please elaborate what needs to change to add MacOS support?

[bacongobbler]

does not work. Please test your changes before asking for a review.

><> docker run -it ubuntu bash
root@c5a6147940e8:/# apt update && apt install wget git openssl gpg
root@c5a6147940e8:/# wget https://raw.githubusercontent.com/jdolitsky/helm/validate-signature/scripts/get-helm-3
root@c5a6147940e8:/# chmod 755 get-helm-3
root@c5a6147940e8:/# VERIFY_SIGNATURES=true ./get-helm-3 
Downloading https://get.helm.sh/helm-v3.2.4-linux-amd64.tar.gz
Verifying checksum... Done.
Verifying signatures... https://raw.githubusercontent.com/helm/helm/master/KEYS: No such file or directory
Failed to install helm
	For support, go to https://github.com/helm/helm.

[jdolitsky]

@bacongobbler - apologies. Was testing on a Linux system with curl for the 2nd revision and didn't catch the bad syntax with wget commands. I just updated and tested it on system with just curl, and system with just wget

Regarding Mac support - it's not clear to me what the issue is. Here is the output when using DEBUG=true:

...
+ gpg --batch --quiet --homedir=/var/folders/lj/xzzflpn14bg1vd8f2c5q_v500000gn/T/helm-installer-XXXXXX.JjFTM6Vw/gnupg --import /var/folders/lj/xzzflpn14bg1vd8f2c5q_v500000gn/T/helm-installer-XXXXXX.JjFTM6Vw/KEYS
gpg: can't connect to the agent: IPC connect call failed
gpg: can't connect to the agent: IPC connect call failed
gpg: can't connect to the agent: IPC connect call failed
gpg: can't connect to the agent: IPC connect call failed
gpg: can't connect to the agent: IPC connect call failed
gpg: can't connect to the agent: IPC connect call failed
+ fail_trap
+ result=2
+ '[' 2 '!=' 0 ']'
+ [[ -n '' ]]
+ echo 'Failed to install helm'
Failed to install helm
...

It appears to hang on can't connect to the agent. Was unable to successfully find something on the internet to resolve this without launching a GPG agent (which I don't think the script should do).

If I modify HELM_TMP_ROOT to be instead ${HOME}/helm-install (vs. $(mktemp -dt helm-installer-XXXXXX)) on line 141, things seem to work just fine:

...
+ gpg --batch --quiet --homedir=/Users/jdolitsky/helm-install/gnupg --import /Users/jdolitsky/helm-install/KEYS
+ gpg --batch --no-default-keyring --keyring /Users/jdolitsky/helm-install/gnupg/pubring.kbx --export
+ local github_release_url=https://github.com/helm/helm/releases/download/v3.2.4
+ '[' true == true ']'
+ curl -SsL https://github.com/helm/helm/releases/download/v3.2.4/helm-v3.2.4-darwin-amd64.tar.gz.sha256.asc -o /Users/jdolitsky/helm-install/helm-v3.2.4-darwin-amd64.tar.gz.sha256.asc
...

So it's something related to using mktemp. When I inspect these temp directories, they appear to be fully owned by my user:

+ HELM_TMP_ROOT=/var/folders/lj/xzzflpn14bg1vd8f2c5q_v500000gn/T/helm-installer-XXXXXX.hGNuwU8u
+ ls -la /var/folders/lj/xzzflpn14bg1vd8f2c5q_v500000gn/T/helm-installer-XXXXXX.hGNuwU8u
total 0
drwx------    2 jdolitsky  staff    64 Jul  7 13:08 .
drwx------@ 136 jdolitsky  staff  4352 Jul  7 13:08 ..

I could definitely use some help figuring this out. But I do think this PR still provides value for Linux users, especially in the context of CI etc.

[bacongobbler]

re-tested using the same instructions. Works now. I think this is in a workable state to move forward. We can address the MacOS issue in a follow-up.