Signing and verifying Helm charts
Similar to how the Helm maintainers sign releases, you can sign your own Helm charts so that users can verify that the chart they install actually came from you and contains the expected contents. To sign a chart, you must first have a
gpg keypair present on your local workstation.
Let's demonstrate how this can be accomplished by leveraging the
guestbook chart from the Packt repository. This chart is located in the
Learn-Helm/helm-charts/charts/guestbook folder. We will assume that you already have a gpg keypair on your local workstation, but if you do not, you can follow the instructions from the Setup section of the Data provenance and integrity section of this chapter to configure your keypair.
One important point to note before signing the
guestbook chart is that you must export your public and secret keyrings to a legacy...