-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathgpg.sh
More file actions
executable file
·174 lines (149 loc) · 2.78 KB
/
gpg.sh
File metadata and controls
executable file
·174 lines (149 loc) · 2.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#!/bin/bash
set -eu
usage() {
cat << EOF
GnuPG integration with Helm
This provides integration with 'gpg', the command line tool for working with
GnuPG.
Available Commands:
sign Sign a chart archive (tgz file) with a GPG key
verify Verify a chart archive (tgz + tgz.prov) with your GPG keyring
EOF
}
sign_usage() {
cat << EOF
Sign a chart using GnuPG credentials.
This is an alternative to 'helm sign'. It uses your gpg credentials
to sign a chart.
Example:
$ helm gpg sign foo-0.1.0.tgz
EOF
}
verify_usage() {
cat << EOF
Verify a chart
This is an alternative to 'helm verify'. It uses your gpg credentials
to verify a chart.
Example:
$ helm gpg verify foo-0.1.0.tgz
In typical usage, use 'helm fetch --prov' to fetch a chart:
$ helm fetch --prov upstream/wordpress
$ helm gpg verify wordpress-1.2.3.tgz
$ helm install ./wordpress-1.2.3.tgz
EOF
}
is_help() {
case "$1" in
"-h")
return 0
;;
"--help")
return 0
;;
"help")
return 0
;;
*)
return 1
;;
esac
}
sign() {
if is_help $1 ; then
sign_usage
return
fi
chart=$1
echo "Signing $chart"
shasum=$(openssl dgst -sha256 $chart| awk '{ print $2 }')
chartyaml=$(tar -zxf $chart --exclude 'charts/' -O '*/Chart.yaml')
c=$(cat << EOF
$chartyaml
...
files:
$chart: sha256:$shasum
EOF
)
keyuser=""
if [ "$keyname" != "" ]; then
keyuser="-u $keyname"
fi
echo "$c" | gpg --clearsign -o "$chart.prov" $keyuser
}
verify() {
if is_help $1 ; then
verify_usage
return
fi
chart=$1
gpg --verify ${chart}.prov
# verify checksum
sha=$(shasum $chart)
set +e
grep "$chart: sha256:$sha" ${chart}.prov > /dev/null
if [ $? -ne 0 ]; then
echo "ERROR SHA verify error: sha256:$sha does not match ${chart}.prov"
return 3
fi
set -e
echo "plugin: Chart SHA verified. sha256:$sha"
}
shasum() {
openssl dgst -sha256 "$1" | awk '{ print $2 }'
}
if [[ $# < 1 ]]; then
usage
exit 1
fi
if ! type "gpg" > /dev/null; then
echo "Command like 'gpg' client must be installed"
exit 1
fi
case "${1:-"help"}" in
"sign"):
if [[ $# < 2 ]]; then
push_usage
echo "Error: Chart package required."
exit 1
fi
shift
# Name of the key to use. Overridden by -u
keyname=""
# Options, expected after verb
while [ "$1" != "" ]; do
case $1 in
-u | --local-user)
keyname=$2
echo "Setting keyname to $keyname"
shift 2
;;
*)
break
;;
esac
done
sign $1 $keyname
;;
"verify"):
if [[ $# < 2 ]]; then
verify_usage
echo "Error: Chart package required."
exit 1
fi
verify $2
;;
"help")
usage
;;
"--help")
usage
;;
"-h")
usage
;;
*)
usage
exit 1
;;
esac
exit 0