Chart Provenance

As of Workflow v2.8.0, Deis has released Kubernetes Helm charts for Workflow and for each of its components.

Helm provides tools for establishing and verifying chart integrity. (For an overview, see the Provenance doc.) All release charts from the Deis Workflow team are now signed using this mechanism.

The full Deis, Inc. (Helm chart signing key) <> public key can be found here, as well as the keyserver and the official Deis Keybase account. The key's fingerprint can be cross-checked against all of these sources.

Verifying a signed chart

The public key mentioned above must exist in a local keyring before a signed chart can be verified.

To add it to the default ~/.gnupg/pubring.gpg keyring, any of the following commands will work:

$ # via our hosted location
$ curl | gpg --import

$ # via the keyserver
$ gpg --keyserver --recv-keys 1D6A97D0

$ # via Keybase with account...
$ keybase follow deis
$ keybase pgp pull

$ # via Keybase by curl
$ curl | gpg --import

Charts signed with this key can then be verified when fetched:

NOTE: These docs need to be updated. TODO

$ helm repo add hephy
"hephy" has been added to your repositories

$ helm fetch --verify hephy/workflow --version v2.17.0
Verification: &{0xc420704c80 sha256:a2a140dca075a2eabe20422f1aa5bc1ce210b18a326472d6b2708e1a93afebea workflow-v2.17.0.tgz}

One can then inspect the fetched workflow-v2.17.0.tgz.prov provenance file.

If the chart was not signed, the command above would result in:

Error: Failed to fetch provenance ""

Alternatively, the chart can also be verified at install time:

$ helm install --verify hephy/workflow --namespace deis
NAME:   exiled-mink
LAST DEPLOYED: Wed Aug  9 08:22:16 2017

$ helm ls
NAME        REVISION    UPDATED                     STATUS      CHART
exiled-mink 1           Wed Aug  9 08:22:16 2017    DEPLOYED    workflow-v2.17.0

Having done so, one is assured of the origin and authenticity of any installed Workflow chart released by Deis.