You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, Keybase.io and well-respected package managers, Helm can generate and verify signature files.
Implementing Helm Provenance and Integrity for Mojaloop installation packaged chart, will constitute Mojaloop cryptographic Code Signing.
Request Details:
Deadline: Soon after DA meeting / discussions.
Impact (Teams): Code Quality Security, DevSecOps and DevOps
Impact (Components): Mojaloop codebase and documentation
Keybase.io is an elegant solution for hosting GPG keys for establishing Provenance and managing developers chain of trust. It is recommended by the Helm documentation https://helm.sh/docs/topics/provenance/ and is optional. It is open source, very secure and used by many developers around the world.
godfreykutumela
changed the title
Mojaloop Code Signing using Helm Provenance and Integrity
Code Distribution Integrity Assurance using Helm Provenance and Integrity
Aug 23, 2022
@MichaelJBRichards This is now approved by the DA for testing and implementation on the condition that appropriate documentation explaining this is included in the standard section of the community guides. The helm release note will reference this only on the first release and thereafter removed.
Implementation Plan:
Release initial documentation by 30 August 2022
Start testing the solution from 29 August 2022 - @bukasaaime will be the lead for the security team and I guess @mdebarros for the DevOps team
Once testing is completed, then we can aim to implement this with the next helm release - @mdebarros and @elnyry-sam-k to advise on the helm release schedule
Request Summary:
Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, Keybase.io and well-respected package managers, Helm can generate and verify signature files.
Implementing Helm Provenance and Integrity for Mojaloop installation packaged chart, will constitute Mojaloop cryptographic Code Signing.
Request Details:
Artifacts:
https://helm.sh/docs/topics/provenance/
Dependencies:
Accountability:
Decision(s):
Details
Follow-up:
The text was updated successfully, but these errors were encountered: