From 420da12d9d1a208170aefb23e6a4310d8082779a Mon Sep 17 00:00:00 2001
From: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
Date: Wed, 22 Apr 2020 13:05:26 -0500
Subject: [PATCH] do not auto-import GPG keys

Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
---
 scripts/get-helm-3 | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/scripts/get-helm-3 b/scripts/get-helm-3
index 5601f4335..fa98792fd 100755
--- a/scripts/get-helm-3
+++ b/scripts/get-helm-3
@@ -172,8 +172,8 @@ verifyChecksum() {
   echo "Done."
 }
 
-# verifySignatures obtains the KEYS and signature .asc files from GitHub,
-# then verifies that the release artifacts were signed by a valid key.
+# verifySignatures obtains the signature .asc files from the GitHub release,
+# then verifies that the release artifacts were signed by a trusted key.
 verifySignatures() {
   if [ "${HAS_GPG}" != "true" ]; then
     echo "In order to verify signatures, gpg must first be installed."
@@ -181,18 +181,10 @@ verifySignatures() {
     exit 1
   fi
   printf "Verifying signatures... "
-  local keys_filename="KEYS"
-  local github_keys_url="https://raw.githubusercontent.com/helm/helm/master/${keys_filename}"
-  if [ "${HAS_CURL}" == "true" ]; then
-    curl -SsL "${github_keys_url}" -o "${HELM_TMP_ROOT}/${keys_filename}"
-  elif [ "${HAS_WGET}" == "true" ]; then
-    wget -q -O "${github_keys_url}" "${HELM_TMP_ROOT}/${keys_filename}"
-  fi
   local gpg_stderr_device="/dev/null"
   if [ "${DEBUG}" == "true" ]; then
     gpg_stderr_device="/dev/stderr"
   fi
-  gpg --import "${HELM_TMP_ROOT}/${keys_filename}" 2> "${gpg_stderr_device}"
   local github_release_url="https://github.com/helm/helm/releases/download/${TAG}"
   if [ "${HAS_CURL}" == "true" ]; then
     curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"