From ed2cabc7a62efd21204d31e6f5c8b9e4234216cd Mon Sep 17 00:00:00 2001 From: Matheus Pimenta Date: Sun, 28 Sep 2025 12:20:43 +0100 Subject: [PATCH 1/3] Sign chart with cosign Signed-off-by: Matheus Pimenta --- .github/workflows/release.yaml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6b4a102e..1f3c5daa 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,8 +8,9 @@ on: jobs: release: permissions: - contents: write - packages: write + contents: write # for pushing to gh-pages (HTTPS Helm repository) + packages: write # for pushing to GHCR (OCI Helm repository) + id-token: write # for signing with keyless cosign runs-on: ubuntu-latest steps: - name: Checkout @@ -17,6 +18,9 @@ jobs: with: fetch-depth: 0 + - name: Setup Cosign + uses: sigstore/cosign-installer@v3.10.0 + - name: Configure Git run: | git config user.name "$GITHUB_ACTOR" @@ -42,12 +46,15 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Push Charts to GHCR + - name: Push Charts to GHCR and Sign run: | shopt -s nullglob for pkg in .cr-release-packages/*; do if [ -z "${pkg:-}" ]; then break fi - helm push "${pkg}" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts + chart_name=$(echo "${pkg##*/}" | sed 's/-[0-9].*$//') + repo="oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts" + helm push "${pkg}" "${repo}" |& grep Digest: | awk '{print $NF}' > digest.txt + cosign sign --yes "${repo}/${chart_name}@$(cat digest.txt)" done From d35826f15a6ee231fe7b0244c7bdcb137d931f3c Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Tue, 30 Sep 2025 16:35:53 +0200 Subject: [PATCH 2/3] add artifacthub notice Signed-off-by: Jan Larwig --- helm/oauth2-proxy/Chart.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index f2a3c03c..68b009e2 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 8.2.1 +version: 8.2.2 apiVersion: v2 appVersion: 7.12.0 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -31,8 +31,8 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: added - description: Add support for new container resize policy feature + - kind: security + description: Adding cosign keyless signing for helm chart artifact links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/pull/346 + url: https://github.com/oauth2-proxy/manifests/pull/356 From 1adb0ac14c62c7bc601b50675bbff81484fdfeb0 Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Tue, 30 Sep 2025 16:51:15 +0200 Subject: [PATCH 3/3] add documentation about how to verify the signed images Signed-off-by: Jan Larwig --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index 27c62696..6d53210d 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,24 @@ Linting/validation uses the [helm/chart-testing tool](https://github.com/helm/ch ct lint --all --config ct.yaml ct install --all --config ct.yaml ``` + +## Verify Signed Helm Charts + +With the introduction of cosign for signing artifacts you can verify the +integrity of our artifacts using the following command: + +``` +VERSION=8.2.2 +cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository oauth2-proxy/manifests \ + --certificate-github-workflow-name "Release Charts" \ + --certificate-github-workflow-ref main \ + --certificate-identity "https://github.com/oauth2-proxy/manifests/.github/workflows/release.yaml@main" \ + "oci://ghcr.io/oauth2-proxy/manifests/charts/oauth2-proxy@${VERSION}" | jq +``` + +Note: + +We utilize cosign to sign and verify artifacts with the KEYLESS mode. To learn +more about how keyless signing is done, visit the official documentation about +[Keyless Signatures](https://docs.sigstore.dev/cosign/signing/overview/#the-signing-witnessing-and-verifying-process).