A security issue fixed in 3.3.2 caught repos with the same name
being added a second time and produced an error. This caused an
issue for tools, such as helmfile, that will add the same name
with the same configuration multiple times.
This fix checks that the configuration on the existing and new
repo are the same. If there is no change it notes it and exists
with a 0 exit code. If there is a change the existing error is
returned (for reverse compat). If --force-update is given the
user opts in to changing the config for the name.
Closes#8771
Signed-off-by: Matt Farina <matt@mattfarina.com>
A recent change merged into Helm fixes a number of security issues related to parsing malformed index files. Unfortunately, it also broke the ability for users to load index files from chartmuseum, which adds a "server info" field to add additional metadata.
This commit adds that field so that index files from chartmuseum can be validated. Since Helm does not use this field for anything, the information is discarded and unused.
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
Previously, when there is no *.{gz,zip} files under _dist, the wildcard
will be expanded to 2 strings '_dist/*.gz' and '_dist/*.zip'(see below).
helm$ ls _dist
helm$ make checksum
for f in _dist/*.{gz,zip} ; do \
shasum -a 256 "${f}" | sed 's/_dist\///' > "${f}.sha256sum" ; \
shasum -a 256 "${f}" | awk '{print $1}' > "${f}.sha256" ; \
done
shasum: _dist/*.gz:
shasum: _dist/*.gz:
shasum: _dist/*.zip:
shasum: _dist/*.zip:
helm$ ls _dist
'*.gz.sha256' '*.gz.sha256sum' '*.zip.sha256' '*.zip.sha256sum'
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
When distributions build software it's desirable to have the ability to
define own linker flags, or Go flags. As `-ldflags` defined in `go
build` overrides `-ldflags` defined in the env variable `GOFLAGS`, there
is a distinct need to be able to replace the default values with new
ones or append to them.
Fixes#8645
Signed-off-by: Morten Linderud <morten@linderud.pw>
For backward compatibility, as suggested by @bacongobbler, we introduce
a new API NewTempServerWithCleanup
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
* Add GPG signature verification to install script
The script fetches the KEYS file from GitHub, as well
as the .asc files on the release and verifies the
release artifacts are signed by a valid key.
Added new boolean config options in the install script
which allow for fine-grained control over verification
and output:
- DEBUG: sets -x in the bash script (default: false)
- VERIFY_CHECKSUM: verifies checksum (default: true)
- VERIFY_SIGNATURE: verifies signature (default: true)
Also reduced check for curl/wget to only one time.
Resolves#7943.
Resolves#7838.
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* disable signature verification by default
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* remove repeated line
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* fix typo
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* do not auto-import GPG keys
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* silence errors about missing commands
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* use a temporary gpg keyring
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* Fix wget commands for VERIFY_SIGNATURES=true
Signed-off-by: jdolitsky <393494+jdolitsky@users.noreply.github.com>
Matt Farina
Matthew Fisher
Sebastian Sdorra
Scott Rigby
Adam Reese
Adam Reese
Matt Butcher
Thulio Ferraz Assis
Li Zhijian
Marc Khouzam
Morten Linderud
Ma Xinjian
Martin Hickey
Paul Brousseau
leigh capili
Josh Dolitsky