Signed release
mloiseleur opened this issue · 0 comments
mloiseleur commented
Proposal
It would be nice if the release of this chart would be signed, for improved traceability and security.
It's a native feature of Helm.
Nowadays with OCI, it's possible to sign with a keyless approach using cosign. There is a documented GH action : https://github.com/sigstore/cosign-installer and simple steps to add
It's integrated into Flux, see here.
Verify can be done with Github integration, see for instance how karpenter chart can be verified.