Verifying with helm verify and --verify
Rejecting charts that fail the signature check.
Checking the Signature
Signing is only half the story. The consumer's job is to verify that the chart and its .prov agree before trusting it.
The verify Command
Run helm verify against a downloaded .tgz that already has its .prov beside it. Helm checks both the hash and the signature.
helm verify mychart-0.1.0.tgzAll lessons in this course
- What a Provenance File Guarantees
- Signing a Chart with helm package --sign
- Verifying with helm verify and --verify
- Keyless Signing with Sigstore Cosign