Verifying Helm charts with a signature

2 minute read

Starting with Helm version 3.8, Helm Charts can be published on OCI registries. The OCI registry allows CloudBees CI on modern cloud platforms to share Helm Charts as containers instead of .tgz files. OCI registries store containers and container signatures within the same registry. Download the Cosign verification software to sign and verify the Helm Charts stored in that OCI registry.

OCI artifact references (e.g. tags) do not support the plus sign ( + ). To support storing semantic versions, Helm adopts the convention of changing any plus ( + ) to an underscore ( _ ) in chart version tags when pushing to a registry, and then back to a plus ( + ) when pulling from a registry.

However, Cosign does not support this convention. Therefore, if you intend to verify Helm charts using Cosign, you must manually change any plus sign to an underscore when you pull the Helm chart from the OCI registry.

Verifying the origin and authenticity of signed Helm Charts is an optional step in the installation process. It can help ensure that you are not the victim of a "man-in-the-middle" attack or other types of image tampering. You should verify the signatures before you run the Helm Chart. To verify signed Helm Charts, you create a text file using the CloudBees public key, and then run the Cosign verification process. The CloudBees public key is as follows:

-----END PUBLIC KEY-----

To verify the authenticity of the signed Helm Chart, complete the following steps:

  1. Create a text file that contains the CloudBees public key. Cosign must be able to access the file to verify the images or the verification will fail.

    You can use the following command to create the text file and populate it with the CloudBees public key:

    echo -e "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiID18L4gntpfEdZS20+KXe5965cj\nIzA5r4X2TNQJPmInN7gmcQwNLtli/3wR3jepeHulb33SbWoNw==\n-----END PUBLIC KEY-----" > cloudbees.key
  2. Type the following command to verify the Helm Chart:

    cosign verify --key cloudbees.key

    In this command, is the OCI registry which publishes the Helm chart and cloudbees-core is the name of the Helm Chart. The signed Helm Chart version number is 3.43.1_7ebb8eddc91a. You can modify this number to match the Helm Chart version you are trying to verify. Refer to ArtifactHub for a list of the Helm Chart versions.

    You can run the following command to retrieve the CloudBees CI on modern cloud platforms version number from a Helm Chart:

    helm show chart oci:// --version 3.43.1+7ebb8eddc91a | grep appVersion | cut -d" " -f2

    Cosign responds with a message that indicates whether the images are validated as authentic. An exit code of 0 indicates that the images are authentic. If the images are not validated as authentic, you should contact CloudBees Support.