msb-public
/
helm
mirror of https://github.com/helm/helm
1
0
Code Issues Projects Releases Wiki Activity

Change behavior for installing plugin with missing .prov file (now warns and continues instead of failing)

Browse Source 
Signed-off-by: Scott Rigby <scott@r6by.com>
pull/31176/head
Scott Rigby 4 weeks ago
parent aef38ea221
commit 0d54097d54
No known key found for this signature in database
GPG Key ID: C7C6FBB5B91C1155
4 changed files with 49 additions and 46 deletions
Show Stats Download Patch File Download Diff File

19
internal/plugin/installer/http_installer.go
Unescape View File

@ -184,20 +184,15 @@ func (i *HTTPInstaller) PrepareForVerification() (string, func(), error) {
return "", nil, fmt.Errorf("failed to write plugin file: %w", err) return "", nil, fmt.Errorf("failed to write plugin file: %w", err)
} }
// Download signature file // Try to download signature file - don't fail if it doesn't exist
provData, err := g.Get(i.Source+".prov", getter.WithURL(i.Source+".prov")) if provData, err := g.Get(i.Source+".prov", getter.WithURL(i.Source+".prov")); err == nil {
if err != nil { if err := os.WriteFile(pluginFile+".prov", provData.Bytes(), 0644); err == nil {
cleanup()
return "", nil, fmt.Errorf("failed to download plugin signature: %w", err)
}
if err := os.WriteFile(pluginFile+".prov", provData.Bytes(), 0644); err != nil {
cleanup()
return "", nil, fmt.Errorf("failed to write signature file: %w", err)
}
// Store the provenance data so we can save it after installation // Store the provenance data so we can save it after installation
i.provData = provData.Bytes() i.provData = provData.Bytes()
}
}
// Note: We don't fail if .prov file can't be downloaded - the verification logic
// in InstallWithOptions will handle missing .prov files appropriately
return pluginFile, cleanup, nil return pluginFile, cleanup, nil
} }

14
internal/plugin/installer/installer.go
Unescape View File

@ -100,7 +100,18 @@ func InstallWithOptions(i Installer, opts Options) (*VerificationResult, error)
defer cleanup() defer cleanup()
} }
// Verify the plugin // Check if provenance file exists
provFile := pluginPath + ".prov"
if _, err := os.Stat(provFile); err != nil {
if os.IsNotExist(err) {
// No .prov file found - emit warning but continue installation
fmt.Fprintf(os.Stderr, "WARNING: No provenance file found for plugin. Plugin is not signed and cannot be verified.\n")
} else {
// Other error accessing .prov file
return nil, fmt.Errorf("failed to access provenance file: %w", err)
}
} else {
// Provenance file exists - verify the plugin
verification, err := plugin.VerifyPlugin(pluginPath, opts.Keyring) verification, err := plugin.VerifyPlugin(pluginPath, opts.Keyring)
if err != nil { if err != nil {
return nil, fmt.Errorf("plugin verification failed: %w", err) return nil, fmt.Errorf("plugin verification failed: %w", err)
@ -116,6 +127,7 @@ func InstallWithOptions(i Installer, opts Options) (*VerificationResult, error)
result.SignedBy = append(result.SignedBy, name) result.SignedBy = append(result.SignedBy, name)
} }
} }
}
if err := i.Install(); err != nil { if err := i.Install(); err != nil {
return nil, err return nil, err

11
internal/plugin/installer/local_installer.go
Unescape View File

@ -190,15 +190,14 @@ func (i *LocalInstaller) PrepareForVerification() (string, func(), error) {
return "", nil, fmt.Errorf("verification not supported for directories") return "", nil, fmt.Errorf("verification not supported for directories")
} }
// For local files, we just need to check that the .prov file exists // For local files, try to read the .prov file if it exists
provFile := i.Source + ".prov" provFile := i.Source + ".prov"
provData, err := os.ReadFile(provFile) if provData, err := os.ReadFile(provFile); err == nil {
if err != nil {
return "", nil, fmt.Errorf("signature file %s not found: %w", provFile, err)
}
// Store the provenance data so we can save it after installation // Store the provenance data so we can save it after installation
i.provData = provData i.provData = provData
}
// Note: We don't fail if .prov file doesn't exist - the verification logic
// in InstallWithOptions will handle missing .prov files appropriately
// Return the source path directly, no cleanup needed // Return the source path directly, no cleanup needed
return i.Source, nil, nil return i.Source, nil, nil

19
internal/plugin/installer/oci_installer.go
Unescape View File

@ -288,21 +288,18 @@ func (i *OCIInstaller) PrepareForVerification() (pluginPath string, cleanup func
return "", nil, fmt.Errorf("failed to save plugin tarball: %w", err) return "", nil, fmt.Errorf("failed to save plugin tarball: %w", err)
} }
// Download the provenance file // Try to download the provenance file - don't fail if it doesn't exist
provSource := i.Source + ".prov" provSource := i.Source + ".prov"
provData, err := i.getter.Get(provSource) if provData, err := i.getter.Get(provSource); err == nil {
if err != nil {
cleanup()
return "", nil, fmt.Errorf("failed to pull provenance from %s: %w", provSource, err)
}
// Save provenance to temp directory // Save provenance to temp directory
provFile := filepath.Join(tempDir, filename+".prov") provFile := filepath.Join(tempDir, filename+".prov")
if err := os.WriteFile(provFile, provData.Bytes(), 0644); err != nil { if err := os.WriteFile(provFile, provData.Bytes(), 0644); err == nil {
cleanup() slog.Debug("prepared plugin for verification", "plugin", pluginTarball, "provenance", provFile)
return "", nil, fmt.Errorf("failed to save provenance file: %w", err)
} }
}
// Note: We don't fail if .prov file can't be downloaded - the verification logic
// in InstallWithOptions will handle missing .prov files appropriately
slog.Debug("prepared plugin for verification", "plugin", pluginTarball, "provenance", provFile) slog.Debug("prepared plugin for verification", "plugin", pluginTarball)
return pluginTarball, cleanup, nil return pluginTarball, cleanup, nil
} }

Write Preview
Loading…
Cancel
Save