At this time both Go 1.19 and 1.20 are supported. The version
specified in the go.mod file is the minimum version we expect Helm
to be compiled against. This is the oldest supported version to
support environments where others compile Helm. The Helm project
is using Go 1.20 to build Helm itself.
Updating to Go 1.19 also includes dealing with io/ioutil
deprecation and some additional linting issues around staticcheck.
All the staticcheck issues were in test files so linting was
skipped for those.
Signed-off-by: Matt Farina <matt.farina@suse.com>
Before this change, several of the potential errors during the process
of signing a package were skipped.
Crucially, `Close()`ing the ReadCloser from the gpg clearsigner is the call
which actually does the signing, and so has several points of failure
which are ignored; for example, if there's a problem with the format of
the key.
Also changes the error from messageBlock() to be propagated rather than
being swallowed, and adds a test for the case where a signer fails to
sign.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This removes the requirement that a fetch or install command must
explicitly state the version number to install. Instead, this goes to
the strategy used by OS package managers: Install the latest until told
to do otherwise.
Closes#1198
This adds the --verify and --keyring flags to:
helm fetch
helm inspect
helm install
helm upgrade
Each of these commands can now make cryptographic verification a
prerequisite for using a chart.
This adds support for OpenPGP signatures containing provenance data.
Such information can be used to verify the integrity of a Chart by
testing that its file hash, metadata, and images are correct.
This first PR does not contain all of the tooling necessary for
end-to-end chart integrity. It contains just the library.
See #983
Robert Sirchia
Matt Farina
Ashley Davis
Josh Dolitsky
Adam Reese
Matt Butcher
Matt Butcher