Ruslan Shaydullin 1 day ago committed by GitHub
commit c61ec0d90a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -19,6 +19,7 @@ import (
"errors"
"fmt"
"io"
"io/fs"
"os"
"path/filepath"
@ -92,9 +93,26 @@ func newDependencyBuildCmd(out io.Writer) *cobra.Command {
}
// defaultKeyring returns the expanded path to the default keyring.
//
// The legacy pubring.gpg file is preferred and treated as absent only when
// stat fails with "not exist" — any other stat error (e.g. permissions)
// keeps the legacy path so the real error surfaces when the file is opened.
// If the legacy file is absent, the keybox file maintained by modern GnuPG
// (2.1+) takes over under the same rule. When neither exists, the legacy
// path is returned so that error messages keep pointing at the traditional
// default.
func defaultKeyring() string {
gnupgHome := filepath.Join(homedir.HomeDir(), ".gnupg")
if v, ok := os.LookupEnv("GNUPGHOME"); ok {
return filepath.Join(v, "pubring.gpg")
gnupgHome = v
}
return filepath.Join(homedir.HomeDir(), ".gnupg", "pubring.gpg")
legacy := filepath.Join(gnupgHome, "pubring.gpg")
if _, err := os.Stat(legacy); !errors.Is(err, fs.ErrNotExist) {
return legacy
}
keybox := filepath.Join(gnupgHome, "pubring.kbx")
if _, err := os.Stat(keybox); !errors.Is(err, fs.ErrNotExist) {
return keybox
}
return legacy
}

@ -19,6 +19,7 @@ import (
"fmt"
"os"
"path/filepath"
"runtime"
"strings"
"testing"
@ -162,3 +163,84 @@ func TestDependencyBuildCmdWithHelmV2Hash(t *testing.T) {
t.Fatal(err)
}
}
func TestDefaultKeyring(t *testing.T) {
touch := func(t *testing.T, path string) {
t.Helper()
if err := os.WriteFile(path, []byte("test"), 0o644); err != nil {
t.Fatal(err)
}
}
tests := []struct {
name string
files []string
want string
}{
{"legacy keyring only", []string{"pubring.gpg"}, "pubring.gpg"},
{"keybox only", []string{"pubring.kbx"}, "pubring.kbx"},
{"legacy keyring preferred over keybox", []string{"pubring.gpg", "pubring.kbx"}, "pubring.gpg"},
{"neither present falls back to legacy path", nil, "pubring.gpg"},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
dir := t.TempDir()
t.Setenv("GNUPGHOME", dir)
for _, f := range tt.files {
touch(t, filepath.Join(dir, f))
}
if got, want := defaultKeyring(), filepath.Join(dir, tt.want); got != want {
t.Errorf("expected %q, got %q", want, got)
}
})
}
t.Run("stat error other than not-exist keeps the legacy path", func(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("directory permissions are not enforced on Windows")
}
if os.Geteuid() == 0 {
t.Skip("root bypasses directory permissions")
}
parent := t.TempDir()
dir := filepath.Join(parent, ".gnupg")
if err := os.MkdirAll(dir, 0o700); err != nil {
t.Fatal(err)
}
touch(t, filepath.Join(dir, "pubring.kbx"))
t.Setenv("GNUPGHOME", dir)
// Make the directory unsearchable so stat on both keyrings fails
// with a permission error rather than "not exist".
if err := os.Chmod(dir, 0o000); err != nil {
t.Fatal(err)
}
t.Cleanup(func() { os.Chmod(dir, 0o700) })
if got, want := defaultKeyring(), filepath.Join(dir, "pubring.gpg"); got != want {
t.Errorf("expected %q, got %q", want, got)
}
})
t.Run("no GNUPGHOME falls back to the home directory", func(t *testing.T) {
home := t.TempDir()
t.Setenv("HOME", home)
t.Setenv("GNUPGHOME", home) // register restoration before unsetting
os.Unsetenv("GNUPGHOME")
gnupgDir := filepath.Join(home, ".gnupg")
if err := os.MkdirAll(gnupgDir, 0o700); err != nil {
t.Fatal(err)
}
if got, want := defaultKeyring(), filepath.Join(gnupgDir, "pubring.gpg"); got != want {
t.Errorf("expected %q, got %q", want, got)
}
touch(t, filepath.Join(gnupgDir, "pubring.kbx"))
if got, want := defaultKeyring(), filepath.Join(gnupgDir, "pubring.kbx"); got != want {
t.Errorf("expected %q, got %q", want, got)
}
})
}

@ -0,0 +1,113 @@
/*
Copyright The Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package provenance
import (
"bytes"
"encoding/binary"
"errors"
"fmt"
)
// GnuPG 2.1+ stores public keys in a "keybox" (pubring.kbx) — a container
// format that interleaves OpenPGP keyblocks with GnuPG-specific metadata. It
// is not an OpenPGP packet stream, so it cannot be handed to
// openpgp.ReadKeyRing directly. A keybox is a sequence of blobs, each starting
// with:
//
// byte 0..3 u32 blob length, big endian, including this header
// byte 4 u8 blob type (0 empty, 1 header, 2 OpenPGP, 3 X.509)
// byte 5 u8 blob version
//
// The first blob is a header carrying the "KBXf" magic at offset 8. OpenPGP
// blobs (type 2) record where the raw keyblock lives inside the blob:
//
// byte 8..11 u32 keyblock offset, relative to the blob start
// byte 12..15 u32 keyblock length
//
// Reference: kbx/keybox-blob.c in the GnuPG source tree.
const (
kbxBlobTypeHeader = 1
kbxBlobTypeOpenPGP = 2
// kbxBlobFlagEphemeral marks a blob GnuPG considers not (yet) part of
// the keyring, e.g. written during an interrupted keyserver operation
// (KEYBOX_FLAG_BLOB_EPHEMERAL in kbx/keybox.h). GnuPG skips such blobs
// on every normal read (kbx/keybox-search.c), and so do we.
kbxBlobFlagEphemeral = 0x0002
// kbxMinBlobLen covers the length and type fields present in every blob.
kbxMinBlobLen = 5
// kbxOpenPGPHeaderLen is how much of an OpenPGP blob header must be
// present for the flags, keyblock offset and keyblock length fields to
// be readable.
kbxOpenPGPHeaderLen = 16
)
// isKeybox reports whether data looks like a GnuPG keybox (pubring.kbx)
// image, identified by the "KBXf" magic in the mandatory first header blob.
func isKeybox(data []byte) bool {
return len(data) >= 12 && data[4] == kbxBlobTypeHeader && string(data[8:12]) == "KBXf"
}
// isArmored reports whether data looks like an ASCII-armored keyring, as
// produced by `gpg --export --armor`.
func isArmored(data []byte) bool {
return bytes.HasPrefix(bytes.TrimSpace(data), []byte("-----BEGIN PGP"))
}
// keyboxPublicKeys extracts the OpenPGP keyblocks embedded in a keybox image
// and returns them concatenated, ready for openpgp.ReadKeyRing. Blobs of any
// other type (header, X.509, empty) are skipped, as are blobs flagged
// ephemeral, which GnuPG itself ignores when reading the keyring. Malformed
// input yields an error, never a panic.
func keyboxPublicKeys(data []byte) ([]byte, error) {
var keyblocks bytes.Buffer
for offset := 0; offset < len(data); {
rest := data[offset:]
if len(rest) < kbxMinBlobLen {
return nil, fmt.Errorf("truncated blob header at offset %d", offset)
}
blobLen := binary.BigEndian.Uint32(rest)
if blobLen < kbxMinBlobLen {
return nil, fmt.Errorf("invalid blob length %d at offset %d", blobLen, offset)
}
if uint64(blobLen) > uint64(len(rest)) {
return nil, fmt.Errorf("blob at offset %d has length %d exceeding the %d remaining bytes", offset, blobLen, len(rest))
}
blob := rest[:blobLen]
if blob[4] == kbxBlobTypeOpenPGP {
if len(blob) < kbxOpenPGPHeaderLen {
return nil, fmt.Errorf("OpenPGP blob at offset %d is too short", offset)
}
flags := binary.BigEndian.Uint16(blob[6:])
keyblockOffset := binary.BigEndian.Uint32(blob[8:])
keyblockLen := binary.BigEndian.Uint32(blob[12:])
if uint64(keyblockOffset)+uint64(keyblockLen) > uint64(len(blob)) {
return nil, fmt.Errorf("OpenPGP blob at offset %d has an out-of-range keyblock", offset)
}
if flags&kbxBlobFlagEphemeral == 0 {
keyblocks.Write(blob[keyblockOffset : keyblockOffset+keyblockLen])
}
}
offset += int(blobLen)
}
if keyblocks.Len() == 0 {
return nil, errors.New("keybox contains no OpenPGP keys")
}
return keyblocks.Bytes(), nil
}

@ -0,0 +1,188 @@
/*
Copyright The Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package provenance
import (
"bytes"
"encoding/binary"
"os"
"testing"
"github.com/ProtonMail/go-crypto/openpgp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
const (
// testKeybox is a GnuPG keybox (pubring.kbx) containing the helm-test
// public key. Regenerate with testdata/regen-keyring-formats.sh.
testKeybox = "testdata/helm-test-key.kbx"
// testMixedKeybox is a keybox containing the RSA and Ed25519 test keys.
testMixedKeybox = "testdata/helm-mixed-keyring.kbx"
// testArmoredPubfile is the ASCII-armored export of the helm-test key.
testArmoredPubfile = "testdata/helm-test-key.asc"
// testMultiBlockArmored is two concatenated single-key armored exports
// (cat key1.asc key2.asc), covering the RSA and Ed25519 test keys.
testMultiBlockArmored = "testdata/helm-mixed-keyring.asc"
)
func TestIsKeybox(t *testing.T) {
tests := []struct {
name string
file string
want bool
}{
{"keybox", testKeybox, true},
{"mixed keybox", testMixedKeybox, true},
{"legacy binary keyring", testPubfile, false},
{"armored keyring", testArmoredPubfile, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
data, err := os.ReadFile(tt.file)
require.NoError(t, err)
assert.Equal(t, tt.want, isKeybox(data))
})
}
t.Run("degenerate inputs", func(t *testing.T) {
assert.False(t, isKeybox(nil))
assert.False(t, isKeybox([]byte{}))
assert.False(t, isKeybox([]byte("KBXf")))
assert.False(t, isKeybox([]byte("garbage that is longer than twelve bytes")))
})
}
func TestIsArmored(t *testing.T) {
tests := []struct {
name string
file string
want bool
}{
{"armored keyring", testArmoredPubfile, true},
{"legacy binary keyring", testPubfile, false},
{"keybox", testKeybox, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
data, err := os.ReadFile(tt.file)
require.NoError(t, err)
assert.Equal(t, tt.want, isArmored(data))
})
}
t.Run("degenerate inputs", func(t *testing.T) {
assert.False(t, isArmored(nil))
assert.False(t, isArmored([]byte("not a key")))
assert.True(t, isArmored([]byte("\n\t -----BEGIN PGP PUBLIC KEY BLOCK-----")))
})
}
func TestKeyboxPublicKeys(t *testing.T) {
data, err := os.ReadFile(testKeybox)
require.NoError(t, err)
keys, err := keyboxPublicKeys(data)
require.NoError(t, err)
ring, err := openpgp.ReadKeyRing(bytes.NewReader(keys))
require.NoError(t, err)
require.Len(t, ring, 1)
_, ok := ring[0].Identities[testKeyName]
assert.True(t, ok, "expected keybox to contain %q", testKeyName)
}
func TestKeyboxPublicKeysEphemeral(t *testing.T) {
// GnuPG flags in-progress key material as ephemeral (bit 0x0002 of the
// blob flags at blob offset 6) and hides it from every normal read; the
// parser must do the same.
setFlags := func(t *testing.T, data []byte, blobStart int, flags uint16) []byte {
t.Helper()
require.Equal(t, byte(kbxBlobTypeOpenPGP), data[blobStart+4])
mutated := bytes.Clone(data)
binary.BigEndian.PutUint16(mutated[blobStart+6:], flags)
return mutated
}
t.Run("all blobs ephemeral means no keys", func(t *testing.T) {
valid, err := os.ReadFile(testKeybox)
require.NoError(t, err)
_, err = keyboxPublicKeys(setFlags(t, valid, 32, kbxBlobFlagEphemeral))
assert.ErrorContains(t, err, "no OpenPGP keys")
})
t.Run("ephemeral blob is skipped, others kept", func(t *testing.T) {
valid, err := os.ReadFile(testMixedKeybox)
require.NoError(t, err)
// Flag only the first OpenPGP blob (the RSA helm-test key).
keys, err := keyboxPublicKeys(setFlags(t, valid, 32, kbxBlobFlagEphemeral))
require.NoError(t, err)
ring, err := openpgp.ReadKeyRing(bytes.NewReader(keys))
require.NoError(t, err)
require.Len(t, ring, 1)
_, ok := ring[0].Identities[testKeyName]
assert.False(t, ok, "expected the ephemeral-flagged %q blob to be skipped", testKeyName)
})
}
func TestKeyboxPublicKeysMalformed(t *testing.T) {
valid, err := os.ReadFile(testKeybox)
require.NoError(t, err)
// The mutations below rely on the fixture layout: a 32-byte header blob
// followed by an OpenPGP blob.
const blobStart = 32
require.Greater(t, len(valid), blobStart+16)
require.Equal(t, byte(kbxBlobTypeOpenPGP), valid[blobStart+4])
mutate := func(offset int, value uint32) []byte {
data := bytes.Clone(valid)
binary.BigEndian.PutUint32(data[offset:], value)
return data
}
tests := []struct {
name string
data []byte
}{
{"header only, no keys", valid[:blobStart]},
{"truncated inside blob header", valid[:blobStart+2]},
{"truncated inside blob body", valid[:blobStart+16]},
{"zero blob length", mutate(blobStart, 0)},
{"blob length below minimum", mutate(blobStart, 4)},
{"blob length past end of data", mutate(blobStart, uint32(len(valid))+1)},
{"keyblock offset out of range", mutate(blobStart+8, uint32(len(valid)))},
{"keyblock length out of range", mutate(blobStart+12, uint32(len(valid)))},
{"keyblock offset overflow", mutate(blobStart+8, ^uint32(0))},
{"keyblock length overflow", mutate(blobStart+12, ^uint32(0))},
{"openpgp blob shorter than its header", append(bytes.Clone(valid[:blobStart]), 0, 0, 0, 8, kbxBlobTypeOpenPGP, 1, 0, 0)},
{"empty input", nil},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, err := keyboxPublicKeys(tt.data)
assert.Error(t, err)
})
}
}

@ -26,6 +26,7 @@ import (
"strings"
"github.com/ProtonMail/go-crypto/openpgp"
"github.com/ProtonMail/go-crypto/openpgp/armor"
"github.com/ProtonMail/go-crypto/openpgp/clearsign"
"github.com/ProtonMail/go-crypto/openpgp/packet"
"sigs.k8s.io/yaml"
@ -358,13 +359,65 @@ func loadKey(keypath string) (*openpgp.Entity, error) {
return openpgp.ReadEntity(pr)
}
// loadKeyRing loads a keyring from ringpath, auto-detecting its storage
// format. Three formats are supported:
//
// - the legacy binary OpenPGP packet stream (GnuPG's pubring.gpg)
// - a GnuPG keybox (pubring.kbx), the default public-key store since
// GnuPG 2.1
// - an ASCII-armored keyring, as produced by `gpg --export --armor`
func loadKeyRing(ringpath string) (openpgp.EntityList, error) {
f, err := os.Open(ringpath)
data, err := os.ReadFile(ringpath)
if err != nil {
return nil, err
}
defer f.Close()
return openpgp.ReadKeyRing(f)
switch {
case isKeybox(data):
keys, err := keyboxPublicKeys(data)
if err != nil {
return nil, fmt.Errorf("reading keybox %s: %w", ringpath, err)
}
return openpgp.ReadKeyRing(bytes.NewReader(keys))
case isArmored(data):
ring, err := loadArmoredKeyRing(data)
if err != nil {
return nil, fmt.Errorf("reading armored keyring %s: %w", ringpath, err)
}
return ring, nil
default:
return openpgp.ReadKeyRing(bytes.NewReader(data))
}
}
// loadArmoredKeyRing reads every armored block in data and merges the keys
// into a single keyring. Unlike openpgp.ReadArmoredKeyRing, which silently
// ignores everything after the first block, this handles keyrings assembled
// by concatenating exports (cat key1.asc key2.asc > keyring.asc), the same
// way GnuPG imports them.
func loadArmoredKeyRing(data []byte) (openpgp.EntityList, error) {
var ring openpgp.EntityList
r := bytes.NewReader(data)
for {
block, err := armor.Decode(r)
if errors.Is(err, io.EOF) {
break
}
if err != nil {
return nil, err
}
if block.Type != openpgp.PublicKeyType && block.Type != openpgp.PrivateKeyType {
return nil, fmt.Errorf("expected a public or private key block, got %q", block.Type)
}
entities, err := openpgp.ReadKeyRing(block.Body)
if err != nil {
return nil, err
}
ring = append(ring, entities...)
}
if len(ring) == 0 {
return nil, errors.New("no keys found")
}
return ring, nil
}
// DigestFile calculates a SHA256 hash (like Docker) for a given file.

@ -16,6 +16,7 @@ limitations under the License.
package provenance
import (
"bytes"
"crypto"
"errors"
"io"
@ -24,6 +25,7 @@ import (
"strings"
"testing"
"github.com/ProtonMail/go-crypto/openpgp/armor"
pgperrors "github.com/ProtonMail/go-crypto/openpgp/errors"
"github.com/ProtonMail/go-crypto/openpgp/packet"
"github.com/stretchr/testify/assert"
@ -168,6 +170,72 @@ func TestLoadKeyRing(t *testing.T) {
}
}
func TestLoadKeyRingKeybox(t *testing.T) {
k, err := loadKeyRing(testKeybox)
require.NoError(t, err)
require.Len(t, k, 1)
_, ok := k[0].Identities[testKeyName]
assert.True(t, ok, "expected %q in keybox keyring", testKeyName)
}
func TestLoadKeyRingMixedKeybox(t *testing.T) {
k, err := loadKeyRing(testMixedKeybox)
require.NoError(t, err)
require.Len(t, k, 2)
names := make([]string, 0, len(k))
hasEdDSA := false
for _, e := range k {
for n := range e.Identities {
names = append(names, n)
}
if e.PrimaryKey != nil && e.PrimaryKey.PubKeyAlgo == packet.PubKeyAlgoEdDSA {
hasEdDSA = true
}
}
assert.Contains(t, names, testKeyName)
assert.True(t, hasEdDSA, "expected an Ed25519 key in %s", testMixedKeybox)
}
func TestLoadKeyRingArmored(t *testing.T) {
k, err := loadKeyRing(testArmoredPubfile)
require.NoError(t, err)
require.Len(t, k, 1)
_, ok := k[0].Identities[testKeyName]
assert.True(t, ok, "expected %q in armored keyring", testKeyName)
}
func TestLoadKeyRingArmoredMultiBlock(t *testing.T) {
// A keyring assembled by concatenating exports (cat a.asc b.asc) must
// load every block, the same way gpg --import does.
k, err := loadKeyRing(testMultiBlockArmored)
require.NoError(t, err)
require.Len(t, k, 2)
names := make([]string, 0, len(k))
for _, e := range k {
for n := range e.Identities {
names = append(names, n)
}
}
assert.Contains(t, names, testKeyName)
}
func TestLoadArmoredKeyRingRejectsNonKeyBlocks(t *testing.T) {
var buf bytes.Buffer
w, err := armor.Encode(&buf, "PGP MESSAGE", nil)
require.NoError(t, err)
_, err = w.Write([]byte("not a key"))
require.NoError(t, err)
require.NoError(t, w.Close())
_, err = loadArmoredKeyRing(buf.Bytes())
assert.ErrorContains(t, err, "expected a public or private key block")
}
func TestDigest(t *testing.T) {
f, err := os.Open(testChartfile)
if err != nil {
@ -406,6 +474,31 @@ func TestVerify(t *testing.T) {
}
}
// TestVerifyKeyboxKeyring mirrors TestVerify with the keyring loaded from a
// GnuPG keybox instead of the legacy binary format.
func TestVerifyKeyboxKeyring(t *testing.T) {
signer, err := NewFromKeyring(testKeybox, "")
require.NoError(t, err)
archiveData, err := os.ReadFile(testChartfile)
require.NoError(t, err)
sigData, err := os.ReadFile(testSigBlock)
require.NoError(t, err)
ver, err := signer.Verify(archiveData, sigData, filepath.Base(testChartfile))
require.NoError(t, err)
require.NotNil(t, ver.SignedBy)
_, ok := ver.SignedBy.Identities[testKeyName]
assert.True(t, ok, "expected chart to verify as signed by %q", testKeyName)
tamperedSigData, err := os.ReadFile(testTamperedSigBlock)
require.NoError(t, err)
_, err = signer.Verify(archiveData, tamperedSigData, filepath.Base(testChartfile))
assert.Error(t, err, "expected tampered signature to fail against keybox keyring")
}
// readSumFile reads a file containing a sum generated by the UNIX shasum tool.
func readSumFile(sumfile string) (string, error) {
data, err := os.ReadFile(sumfile)

@ -0,0 +1,40 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFeWbZ4BCADIsgNRyVBSWJkbH6h3UWWXsA9ce1u+YKvaCYFSjIujKycTAqCC
P7qUV2Oj/4E2zUcOD1/8/meDwuTnNTLzdSw4ujtFlKRSw7zelQE6sxvID0KM0pQK
7AxDTXsm/7Afd/fg4WNW0/hcbeiNz4TVmSWAnbqeLg8o8eljR5QhTk47H6Glo4hV
raeLCKG77qm2qOQ/m38ec+L5n9iUpoZZu1S5RXPUIanV5pLlx2rQsooIQEdJbTRF
Iv3+2Nj/56PFVdrw7E5ARqCD4PpzzYV7uj8vKumOp+VivFj95Ze6DFENh1WWy336
jQEj0uTolgOYeQ6AdJobwSPUeYXGV6Sf2vwXABEBAAG0XUhlbG0gVGVzdGluZyAo
VGhpcyBrZXkgc2hvdWxkIG9ubHkgYmUgdXNlZCBmb3IgdGVzdGluZy4gRE8gTk9U
IFRSVVNULikgPGhlbG0tdGVzdGluZ0BoZWxtLnNoPokBNwQTAQoAIQUCV5ZtngIb
AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCEO7+YH8GHYolFCAC0+ejT5dIX
0juRl5AdG6XAlEf9IrehkVlo0s5bG1Ucea9jjNRafmmHyMravrxZVI9zGFhaNpxA
+McnnWAO8lx5yTgnGW269qvFBsj5n0ItPewILQZjTEgwLYf1oc2qCFpk+8ovBnxZ
Kaz3J5QKqU09zLO2yALuI5FTCCUupJ3OGIrKvLJ4H2jsRk/5jgqIgqJotW/4Baza
4zemFdQHj9FPvq9sVeW5lyxM48i638GtslIgc0y2Yd/bfiy0tfIkskWz/kS1U6c9
Utr3UPwpBqHjXnakmpK7GMGlp5eDXgr63BEdLKxJJWWxIys35fR19XZXcAELrwMh
zkTzB/dvI375uQENBFeWbZ4BCADB6a8oiF2royWbvwmujBxSmD68QWziNZbSCuRs
M4WM1iy69kspJHRwJEVIE5pkoVfV6tIcwQQ0VkJmq6Pf/pyKeMAXp0u8bp5K0mVE
Yio1/adiLM3kX1yleoXLNUb1gNvsk6Kp6BZCUNRmjKlbKxapJKHmL+opX8UoeLeE
KSgJNL8jvo3nRgg+wIPnVDoizz7y03F0k4SbgNGdoA/FtZs/vcSrEfzOLgI2RxQS
dj/ePkxg9TvQygUSYgAVbYlASw6XMmd/zTjkfD9qa0l3WSejTisn85b611WryDpA
iYkYC3GzK8g7S9VwkAbtr79cbG+1djlA4aHASpil+zR12yEhABEBAAGJAR8EGAEK
AAkFAleWbZ4CGwwACgkQhDu/mB/Bh2LbNQgAiOOMNzmKzY4A7/ra8ppaH9oL8XIa
WvInivOsx22K09PPuPVqi/ooBiRGyRqhdVS4ShPOoOTR5tOsdfPpEMTHnGQ1+jW+
Tw5MXv3oMckWw3YEYptnuvon3wT4bOXLr+eYlY4Z1ONs+pAXwMiQ2zXNuKHpA2fR
HsF8Wyw57rCVn7K5nQgZCbVxasYlzvFGnmt/itSC5w/AnIvICDOWcoGFKTieqhME
IkCyvu+DNrMAumnD2fqF2olsM4IzCEPSMEQqJIGzZTtQTseS8NSDioRGnG1AJQ94
BssQVmTh0/hlpoTqXY803lR5wb1fr3RRnkOu+lbEI6AAUj51j5TAAo/1dA==
=bvcV
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaMzP2xYJKwYBBAHaRw8BAQdAXkL0KKTOZoMaM+6HsrkWv93zmLmnMiIoQvR2
F+bjx7G0KEhlbG0gRWQyNTUxOSBUZXN0IDxoZWxtLWVkMjU1MTlAaGVsbS5zaD6I
mQQTFgoAQRYhBEy+dUwlWAxsh43nEfuFaBLOL8tkBQJozM/bAhsDBQkFo5qABQsJ
CAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEPuFaBLOL8tktBYA/2cclE0N+BZV
Wymk6XfwFMjErM6olWAfwA8DfAGQ55+lAQCqSa+Tkjd4dmToVHcb0QAm+zwklAY4
e6qWgGiivn77AA==
=wJ7K
-----END PGP PUBLIC KEY BLOCK-----

Binary file not shown.

@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFeWbZ4BCADIsgNRyVBSWJkbH6h3UWWXsA9ce1u+YKvaCYFSjIujKycTAqCC
P7qUV2Oj/4E2zUcOD1/8/meDwuTnNTLzdSw4ujtFlKRSw7zelQE6sxvID0KM0pQK
7AxDTXsm/7Afd/fg4WNW0/hcbeiNz4TVmSWAnbqeLg8o8eljR5QhTk47H6Glo4hV
raeLCKG77qm2qOQ/m38ec+L5n9iUpoZZu1S5RXPUIanV5pLlx2rQsooIQEdJbTRF
Iv3+2Nj/56PFVdrw7E5ARqCD4PpzzYV7uj8vKumOp+VivFj95Ze6DFENh1WWy336
jQEj0uTolgOYeQ6AdJobwSPUeYXGV6Sf2vwXABEBAAG0XUhlbG0gVGVzdGluZyAo
VGhpcyBrZXkgc2hvdWxkIG9ubHkgYmUgdXNlZCBmb3IgdGVzdGluZy4gRE8gTk9U
IFRSVVNULikgPGhlbG0tdGVzdGluZ0BoZWxtLnNoPokBNwQTAQoAIQUCV5ZtngIb
AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCEO7+YH8GHYolFCAC0+ejT5dIX
0juRl5AdG6XAlEf9IrehkVlo0s5bG1Ucea9jjNRafmmHyMravrxZVI9zGFhaNpxA
+McnnWAO8lx5yTgnGW269qvFBsj5n0ItPewILQZjTEgwLYf1oc2qCFpk+8ovBnxZ
Kaz3J5QKqU09zLO2yALuI5FTCCUupJ3OGIrKvLJ4H2jsRk/5jgqIgqJotW/4Baza
4zemFdQHj9FPvq9sVeW5lyxM48i638GtslIgc0y2Yd/bfiy0tfIkskWz/kS1U6c9
Utr3UPwpBqHjXnakmpK7GMGlp5eDXgr63BEdLKxJJWWxIys35fR19XZXcAELrwMh
zkTzB/dvI375uQENBFeWbZ4BCADB6a8oiF2royWbvwmujBxSmD68QWziNZbSCuRs
M4WM1iy69kspJHRwJEVIE5pkoVfV6tIcwQQ0VkJmq6Pf/pyKeMAXp0u8bp5K0mVE
Yio1/adiLM3kX1yleoXLNUb1gNvsk6Kp6BZCUNRmjKlbKxapJKHmL+opX8UoeLeE
KSgJNL8jvo3nRgg+wIPnVDoizz7y03F0k4SbgNGdoA/FtZs/vcSrEfzOLgI2RxQS
dj/ePkxg9TvQygUSYgAVbYlASw6XMmd/zTjkfD9qa0l3WSejTisn85b611WryDpA
iYkYC3GzK8g7S9VwkAbtr79cbG+1djlA4aHASpil+zR12yEhABEBAAGJAR8EGAEK
AAkFAleWbZ4CGwwACgkQhDu/mB/Bh2LbNQgAiOOMNzmKzY4A7/ra8ppaH9oL8XIa
WvInivOsx22K09PPuPVqi/ooBiRGyRqhdVS4ShPOoOTR5tOsdfPpEMTHnGQ1+jW+
Tw5MXv3oMckWw3YEYptnuvon3wT4bOXLr+eYlY4Z1ONs+pAXwMiQ2zXNuKHpA2fR
HsF8Wyw57rCVn7K5nQgZCbVxasYlzvFGnmt/itSC5w/AnIvICDOWcoGFKTieqhME
IkCyvu+DNrMAumnD2fqF2olsM4IzCEPSMEQqJIGzZTtQTseS8NSDioRGnG1AJQ94
BssQVmTh0/hlpoTqXY803lR5wb1fr3RRnkOu+lbEI6AAUj51j5TAAo/1dA==
=bvcV
-----END PGP PUBLIC KEY BLOCK-----

Binary file not shown.

@ -0,0 +1,26 @@
#!/bin/sh
# Regenerate the modern-GnuPG keyring fixtures from the committed binary
# keyrings. Requires GnuPG 2.1+ (keybox support).
#
# helm-test-key.kbx keybox (pubring.kbx) containing the helm-test key
# helm-mixed-keyring.kbx keybox containing the RSA and Ed25519 test keys
# helm-test-key.asc ASCII-armored export of the helm-test key
# helm-mixed-keyring.asc two concatenated single-key armored exports
set -e
GNUPGHOME=$(mktemp -d)
export GNUPGHOME
chmod 700 "$GNUPGHOME"
gpg --batch --no-tty --quiet --import helm-test-key.pub
cp "$GNUPGHOME/pubring.kbx" helm-test-key.kbx
gpg --batch --no-tty --export --armor helm-testing@helm.sh > helm-test-key.asc
rm -rf "$GNUPGHOME"
GNUPGHOME=$(mktemp -d)
export GNUPGHOME
chmod 700 "$GNUPGHOME"
gpg --batch --no-tty --quiet --import helm-mixed-keyring.pub
cp "$GNUPGHOME/pubring.kbx" helm-mixed-keyring.kbx
gpg --batch --no-tty --export --armor helm-testing@helm.sh > helm-mixed-keyring.asc
gpg --batch --no-tty --export --armor helm-ed25519@helm.sh >> helm-mixed-keyring.asc
rm -rf "$GNUPGHOME"
Loading…
Cancel
Save