All CloudPirates Helm charts are cryptographically signed using Cosign to ensure authenticity, integrity, and supply chain security. This document provides comprehensive guidance on verifying chart signatures.
Every chart published to registry-1.docker.io/cloudpirates/ is signed with our private key and can be verified using the corresponding public key. This ensures:
- Authenticity: Confirms charts are published by CloudPirates
- Integrity: Ensures charts haven't been tampered with since signing
- Supply Chain Security: Provides end-to-end verification of chart origins
All charts are signed with the following Cosign public key:
Download: cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5U+rM2d3hDjgP5T3cLShuuQIU9vR
Z4/G+Nug6q5vRa+C3qUA1wXjbaJFAfcIrv5VjmYAYOj13shnPpp3Zh4fnQ==
-----END PUBLIC KEY-----
Install Cosign on your system:
# macOS (using Homebrew)
brew install cosign
# Linux (using curl)
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
# Windows (using winget)
winget install sigstore.cosign-
Download the public key:
# Option 1: Download directly from GitHub curl -o cosign.pub https://raw.githubusercontent.com/CloudPirates-io/helm-charts/main/cosign.pub # Option 2: Create manually cat > cosign.pub << 'EOF' -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5U+rM2d3hDjgP5T3cLShuuQIU9vR Z4/G+Nug6q5vRa+C3qUA1wXjbaJFAfcIrv5VjmYAYOj13shnPpp3Zh4fnQ== -----END PUBLIC KEY----- EOF
-
Verify a specific chart:
# Replace <chart-name> and <version> with actual values cosign verify --key cosign.pub registry-1.docker.io/cloudpirates/<chart-name>:<version> # Examples: cosign verify --key cosign.pub registry-1.docker.io/cloudpirates/clusterpirate:1.0.0 cosign verify --key cosign.pub registry-1.docker.io/cloudpirates/valkey:0.1.1 cosign verify --key cosign.pub registry-1.docker.io/cloudpirates/mariadb:0.1.0
-
Successful verification output:
Verification for registry-1.docker.io/cloudpirates/clusterpirate:1.0.0 -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The signatures were verified against the specified public key
Always verify chart signatures before installation:
# 1. Verify the signature
cosign verify --key cosign.pub registry-1.docker.io/cloudpirates/clusterpirate:1.0.0
# 2. Only install after successful verification
helm install my-release oci://registry-1.docker.io/cloudpirates/clusterpirate --version 1.0.0