add chart provenance verification to e2e
Opened this issue · 1 comments
vdice commented
Once we are signing our staging helm charts (workflow-dev
, builder-dev
, etc.), we should add a correlating verification step to the chart install in the downstream e2e job(s) along the lines of:
...
gpg --keyserver <keyserver (probably pgp.mit.edu)> --recv-keys <KEY_ID>
helm install --verify "${CHART_REPO:-${CHART}}"/"${CHART}"
...
Cryptophobia commented
This issue was moved to teamhephy/jenkins-jobs#10