Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code Distribution Integrity Assurance using Helm Provenance and Integrity #89

Open
4 tasks
bukasaaime opened this issue Apr 12, 2022 · 3 comments
Open
4 tasks

Code Distribution Integrity Assurance using Helm Provenance and Integrity #89

bukasaaime opened this issue Apr 12, 2022 · 3 comments

Comments

@bukasaaime
Copy link

bukasaaime commented Apr 12, 2022
edited
Loading

Request Summary:

Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, Keybase.io and well-respected package managers, Helm can generate and verify signature files.

Implementing Helm Provenance and Integrity for Mojaloop installation packaged chart, will constitute Mojaloop cryptographic Code Signing.

Request Details:

  • Deadline: Soon after DA meeting / discussions.
  • Impact (Teams): Code Quality Security, DevSecOps and DevOps
  • Impact (Components): Mojaloop codebase and documentation

Artifacts:

https://helm.sh/docs/topics/provenance/

image

Dependencies:

  • If Applicable

Accountability:

Decision(s):

  • Approved By:

Details

  • Actual decision made as a result of discussion

Follow-up:

  • Actions to implement the decisions
@bukasaaime
Copy link
Author

Update

We have done a proposal to have Mojaloop helm release code signed using

  1. Keybase.io GPG keys,
  2. Kubernetes commands
  3. Helm package manager,
  4. Helm chart(s),
  5. Github,
  6. Circle CI,
  7. npm packages
  8. Docker images, flags and hash values.
  9. The Mojaloop customization trough external configs (including the default config),
  10. mojaloop.io site for publication of Mojaloop helm release versions and hash values.
  11. signature verification by a Mojaloop user
  12. installation by Mojaloop user.

We are seeking approval from the DA.

code-signing-tree (7)

@bukasaaime
Copy link
Author

Keybase.io is an elegant solution for hosting GPG keys for establishing Provenance and managing developers chain of trust. It is recommended by the Helm documentation https://helm.sh/docs/topics/provenance/ and is optional. It is open source, very secure and used by many developers around the world.

@godfreykutumela godfreykutumela changed the title Mojaloop Code Signing using Helm Provenance and Integrity Code Distribution Integrity Assurance using Helm Provenance and Integrity Aug 23, 2022
@godfreykutumela
Copy link
Contributor

@MichaelJBRichards This is now approved by the DA for testing and implementation on the condition that appropriate documentation explaining this is included in the standard section of the community guides. The helm release note will reference this only on the first release and thereafter removed.

Implementation Plan:

  • Release initial documentation by 30 August 2022
  • Start testing the solution from 29 August 2022 - @bukasaaime will be the lead for the security team and I guess @mdebarros for the DevOps team
  • Once testing is completed, then we can aim to implement this with the next helm release - @mdebarros and @elnyry-sam-k to advise on the helm release schedule

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bukasaaime @godfreykutumela