Helm Charts to support the Sigstore project.
Charts are available in the following formats:
The following command can be used to add the chart repository:
$ helm repo add sigstore https://sigstore.github.io/helm-charts
$ helm repo updateOnce the chart has been added, install one of the available charts:
$ helm upgrade -i <release_name> sigstore/<chart_name>Charts are also available in OCI format. The list of available charts can be found here.
Install one of the available charts:
$ helm upgrade -i oci://ghcr.io/sigstore/helm-charts/<chart_name> --version=<version>Charts are signed using the provenance methods provided by the Helm project as well as uploaded to the Rekor transparency server using the Helm sigtore plugin.
Verification of the signed charts can be accomplished by importing the GPG Public Key that was used to sign the associated chart.
cat security/pubkey.gpg | gpg --import --batchOnce the public key has been imported, charts can be verified using the helm verify and/or helm sigstore verify commands.
NOTE: The public key that was used to sign a particular chart may not be identical to the public key on the main branch. Each chart release has an associated git tag. The public key that was used to sign the particular chart will be included in this tag.