feat(helm): add signature support to 'helm package'

cmd/helm/helm.go

@@ -94,6 +94,7 @@ func newRootCmd(out io.Writer) *cobra.Command {
 		newStatusCmd(nil, out),
 		newUpgradeCmd(nil, out),
 		newRollbackCmd(nil, out),
+		newPackageCmd(nil, out),
 	)
 	return cmd
 }

cmd/helm/list_test.go

@@ -56,9 +56,7 @@ func TestListCmd(t *testing.T) {
 			rels: tt.resp,
 		}
 		cmd := newListCmd(c, &buf)
-		for flag, value := range tt.flags {
-			cmd.Flags().Set(flag, value)
-		}
+		setFlags(cmd, tt.flags)
 		err := cmd.RunE(cmd, tt.args)
 		if (err != nil) != tt.err {
 			t.Errorf("%q. expected error: %v, got %v", tt.name, tt.err, err)

cmd/helm/package.go

@@ -17,12 +17,18 @@ limitations under the License.
 package main
 
 import (
+	"errors"
 	"fmt"
+	"io"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 
 	"github.com/spf13/cobra"
+
 	"k8s.io/helm/pkg/chartutil"
+	"k8s.io/helm/pkg/helm"
+	"k8s.io/helm/pkg/provenance"
 	"k8s.io/helm/pkg/repo"
 )
 
@@ -37,30 +43,56 @@ Chart.yaml file, and (if found) build the current directory into a chart.
 Versioned chart archives are used by Helm package repositories.
 `
 
-var save bool
+const (
+	envSigningKey = "HELM_SIGNING_KEY"
+	envKeyring    = "HELM_KEYRING"
+)
 
-func init() {
-	packageCmd.Flags().BoolVar(&save, "save", true, "save packaged chart to local chart repository")
-	RootCommand.AddCommand(packageCmd)
+type packageCmd struct {
+	save    bool
+	sign    bool
+	path    string
+	key     string
+	keyring string
+	out     io.Writer
 }
 
-var packageCmd = &cobra.Command{
-	Use:   "package [CHART_PATH]",
-	Short: "package a chart directory into a chart archive",
-	Long:  packageDesc,
-	RunE:  runPackage,
-}
+func newPackageCmd(client helm.Interface, out io.Writer) *cobra.Command {
+	pkg := &packageCmd{
+		out: out,
+	}
+	cmd := &cobra.Command{
+		Use:   "package [CHART_PATH]",
+		Short: "package a chart directory into a chart archive",
+		Long:  packageDesc,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 {
+				return fmt.Errorf("This command needs at least one argument, the path to the chart.")
+			}
+			pkg.path = args[0]
+			if pkg.sign {
+				if pkg.key == "" {
+					return errors.New("--key is required for signing a package")
+				}
+				if pkg.keyring == "" {
+					return errors.New("--keyring is required for signing a package")
+				}
+			}
+			return pkg.run(cmd, args)
+		},
+	}
 
-func runPackage(cmd *cobra.Command, args []string) error {
-	path := "."
+	f := cmd.Flags()
+	f.BoolVar(&pkg.save, "save", true, "save packaged chart to local chart repository")
+	f.BoolVar(&pkg.sign, "sign", false, "use a PGP private key to sign this package")
+	f.StringVar(&pkg.key, "key", "", "the name of the key to use when signing. Used if --sign is true.")
+	f.StringVar(&pkg.keyring, "keyring", os.ExpandEnv("$HOME/.gnupg/pubring.gpg"), "the location of a public keyring")
 
-	if len(args) > 0 {
-		path = args[0]
-	} else {
-		return fmt.Errorf("This command needs at least one argument, the path to the chart.")
-	}
+	return cmd
+}
 
-	path, err := filepath.Abs(path)
+func (p *packageCmd) run(cmd *cobra.Command, args []string) error {
+	path, err := filepath.Abs(p.path)
 	if err != nil {
 		return err
 	}
@@ -86,7 +118,7 @@ func runPackage(cmd *cobra.Command, args []string) error {
 
 	// Save to $HELM_HOME/local directory. This is second, because we don't want
 	// the case where we saved here, but didn't save to the default destination.
-	if save {
+	if p.save {
 		if err := repo.AddChartToLocalRepo(ch, localRepoDirectory()); err != nil {
 			return err
 		} else if flagDebug {
@@ -94,5 +126,28 @@ func runPackage(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if p.sign {
+		err = p.clearsign(name)
+	}
+
 	return err
 }
+
+func (p *packageCmd) clearsign(filename string) error {
+	// Load keyring
+	signer, err := provenance.NewFromKeyring(p.keyring, p.key)
+	if err != nil {
+		return err
+	}
+
+	sig, err := signer.ClearSign(filename)
+	if err != nil {
+		return err
+	}
+
+	if flagDebug {
+		fmt.Fprintln(p.out, sig)
+	}
+
+	return ioutil.WriteFile(filename+".prov", []byte(sig), 0755)
+}

cmd/helm/package_test.go

@@ -0,0 +1,148 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"regexp"
+	"testing"
+
+	"github.com/spf13/cobra"
+)
+
+func TestPackage(t *testing.T) {
+
+	tests := []struct {
+		name    string
+		flags   map[string]string
+		args    []string
+		expect  string
+		hasfile string
+		err     bool
+	}{
+		{
+			name:   "package without chart path",
+			args:   []string{},
+			flags:  map[string]string{},
+			expect: "This command needs at least one argument, the path to the chart.",
+			err:    true,
+		},
+		{
+			name:   "package --sign, no --key",
+			args:   []string{"testdata/testcharts/alpine"},
+			flags:  map[string]string{"sign": "1"},
+			expect: "key is required for signing a package",
+			err:    true,
+		},
+		{
+			name:   "package --sign, no --keyring",
+			args:   []string{"testdata/testcharts/alpine"},
+			flags:  map[string]string{"sign": "1", "key": "nosuchkey", "keyring": ""},
+			expect: "keyring is required for signing a package",
+			err:    true,
+		},
+		{
+			name:    "package testdata/testcharts/alpine",
+			args:    []string{"testdata/testcharts/alpine"},
+			expect:  "",
+			hasfile: "alpine-0.1.0.tgz",
+		},
+		{
+			name:    "package --sign --key=KEY --keyring=KEYRING testdata/testcharts/alpine",
+			args:    []string{"testdata/testcharts/alpine"},
+			flags:   map[string]string{"sign": "1", "keyring": "testdata/helm-test-key.secret", "key": "helm-test"},
+			expect:  "",
+			hasfile: "alpine-0.1.0.tgz",
+		},
+	}
+
+	// Because these tests are destructive, we run them in a tempdir.
+	origDir, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+	tmp, err := ioutil.TempDir("", "helm-package-test-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("Running tests in %s", tmp)
+	if err := os.Chdir(tmp); err != nil {
+		t.Fatal(err)
+	}
+
+	defer func() {
+		os.Chdir(origDir)
+		os.RemoveAll(tmp)
+	}()
+
+	for _, tt := range tests {
+		buf := bytes.NewBuffer(nil)
+		c := newPackageCmd(nil, buf)
+
+		// This is an unfortunate byproduct of the tmpdir
+		if v, ok := tt.flags["keyring"]; ok && len(v) > 0 {
+			tt.flags["keyring"] = filepath.Join(origDir, v)
+		}
+
+		setFlags(c, tt.flags)
+		re := regexp.MustCompile(tt.expect)
+
+		adjustedArgs := make([]string, len(tt.args))
+		for i, f := range tt.args {
+			adjustedArgs[i] = filepath.Join(origDir, f)
+		}
+
+		err := c.RunE(c, adjustedArgs)
+		if err != nil {
+			if tt.err && re.MatchString(err.Error()) {
+				continue
+			}
+			t.Errorf("%q: expected error %q, got %q", tt.name, tt.expect, err)
+			continue
+		}
+
+		if !re.Match(buf.Bytes()) {
+			t.Errorf("%q: expected output %q, got %q", tt.name, tt.expect, buf.String())
+		}
+
+		if len(tt.hasfile) > 0 {
+			if fi, err := os.Stat(tt.hasfile); err != nil {
+				t.Errorf("%q: expected file %q, got err %q", tt.name, tt.hasfile, err)
+			} else if fi.Size() == 0 {
+				t.Errorf("%q: file %q has zero bytes.", tt.name, tt.hasfile)
+			}
+		}
+
+		if v, ok := tt.flags["sign"]; ok && v == "1" {
+			if fi, err := os.Stat(tt.hasfile + ".prov"); err != nil {
+				t.Errorf("%q: expected provenance file", tt.name)
+			} else if fi.Size() == 0 {
+				t.Errorf("%q: provenance file is empty", tt.name)
+			}
+		}
+	}
+}
+
+func setFlags(cmd *cobra.Command, flags map[string]string) {
+	dest := cmd.Flags()
+	for f, v := range flags {
+		dest.Set(f, v)
+	}
+}

pkg/provenance/sign.go

@@ -26,6 +26,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/ghodss/yaml"
 
@@ -94,7 +95,51 @@ func NewFromFiles(keyfile, keyringfile string) (*Signatory, error) {
 	}, nil
 }
 
-// Sign signs a chart with the given key.
+// NewFromKeyring reads a keyring file and creates a Signatory.
+//
+// If id is not the empty string, this will also try to find an Entity in the
+// keyring whose name matches, and set that as the signing entity. It will return
+// an error if the id is not empty and also not found.
+func NewFromKeyring(keyringfile, id string) (*Signatory, error) {
+	ring, err := loadKeyRing(keyringfile)
+	if err != nil {
+		return nil, err
+	}
+
+	s := &Signatory{KeyRing: ring}
+
+	// If the ID is empty, we can return now.
+	if id == "" {
+		return s, nil
+	}
+
+	// We're gonna go all GnuPG on this and look for a string that _contains_. If
+	// two or more keys contain the string and none are a direct match, we error
+	// out.
+	var candidate *openpgp.Entity
+	vague := false
+	for _, e := range ring {
+		for n := range e.Identities {
+			if n == id {
+				s.Entity = e
+				return s, nil
+			}
+			if strings.Contains(n, id) {
+				if candidate != nil {
+					vague = true
+				}
+				candidate = e
+			}
+		}
+	}
+	if vague {
+		return s, fmt.Errorf("more than one key contain the id %q", id)
+	}
+	s.Entity = candidate
+	return s, nil
+}
+
+// ClearSign signs a chart with the given key.
 //
 // This takes the path to a chart archive file and a key, and it returns a clear signature.
 //
@@ -128,6 +173,7 @@ func (s *Signatory) ClearSign(chartpath string) (string, error) {
 	return out.String(), err
 }
 
+// Verify checks a signature and verifies that it is legit for a chart.
 func (s *Signatory) Verify(chartpath, sigpath string) (bool, error) {
 	for _, fname := range []string{chartpath, sigpath} {
 		if fi, err := os.Stat(fname); err != nil {