Verifying Helm Charts for improved security
Helm Charts are the go-to way of packaging and sharing applications in the Kubernetes ecosystem. With so many people using them, they could be a security risk if attackers get theirs hands on the Chart. It's important for users to check that a published package is intact and from a trusted source.
This article will show you how to verify a Helm Chart and help you trust the published package more.
What are we going to verify?
The command you need to verify Helm Charts is really straightforward: helm verify
. This command checks if the Helm Chart has been signed by its creator using a private key. It uses the creator's public key to verify the signature of the Chart, so you can be sure it hasn't been tampered with or modified.
How to use helm verify
There are two main ways to use helm verify
. You can use it against a locally stored Helm Chart or a remote one (which downloads the Helm Chart and runs the verification locally too).
In this tutorial, I'll be using a Helm Chart that I've put together myself: baserow in version 2.4.2. You can find the source code for this Helm Chart in my Git repository.
Step 1: Add the Helm Repository
OK, let's get started by adding the Helm repository and fetching the current list of Helm Charts:
helm repo add christianhuth https://charts.christianhuth.de
helm repo update
Step 2: Import the Public Key
To verify a Helm Chart, we just need to import its corresponding public key into our local keyring. To do this, we download the public key first:
curl -0L http://charts.christianhuth.de/public.key > christianhuth.pub
Next, we'll import the public key using GPG into the keyring:
gpg --import christianhuth.pub
The GPG tool now stores public keys in the pubring.kbx
file, rathen than the older pubring.gpg
file. Helm, on the other hand, expects the old version. So, we have to convert the key into a format that is supported by Helm:
gpg --export > ~/.gnupg/pubring.gpg
Step 3: Download the Helm Chart
You can now download the Helm Chart locally using the helm pull
command. Just remember to add the --prov
flag to download the provenance file as well:
helm pull christianhuth/baserow --version 2.4.2 --prov
You should now see the Helm Chart as a *.tgz
file and the corresponding .prov
file when you display the content of your current directory:
baserow-2.4.2.tgz baserow-2.4.2.tgz.prov
If you forgot to add the --prov
flag, you'll get the following error when you try to verify the Helm Chart next.
Error: could not load provenance file baserow-2.4.2.tgz.prov: stat baserow-2.4.2.tgz.prov: no such file or directory
Step 4: Verify the Helm Chart manually
Now that everything is set up correctly, we can start verifying the downloaded Helm Chart with the helm verify
command. Simply point the command at the Helm Chart in the *.tgz
format:
helm verify baserow-2.4.2.tgz
If everything has worked, you should see something like this:
Signed by: Christian Huth
Using Key With Fingerprint: EE24F8BB6D099E78FD704F83B5ECDBCDDD485D0E
Chart Hash Verified: sha256:a1555a55e408e49dd03df4a2abde9a3eb9feb7adb82812884c8dd3f4bd700064
If there's a problem with your setup or the Helm Chart has been altered, you'll see an error message like this:
Error: openpgp: invalid signature: ECDSA verification failure
Step 5: Verify the Helm Chart automatically
As well as checking the Helm Chart with the helm verify
command, you can also use the --verify
flag to verify the Helm Chart automatically before you use it. You can use the --verify
flag on commands like helm pull
, helm install
or helm upgrade
:
helm pull christianhuth/baserow --verify --version 2.4.2
Signed by: Christian Huth
Using Key With Fingerprint: EE24F8BB6D099E78FD704F83B5ECDBCDDD485D0E
Chart Hash Verified: sha256:a1555a55e408e49dd03df4a2abde9a3eb9feb7adb82812884c8dd3f4bd700064
Conclusion
It's pretty simple to verify the integrity of a Helm Chart. Just import the matching public key and then run helm verify
or add the --verify
flag to a helm
command like helm pull
, helm install
or helm upgrade
.
Reference
- Helm Documenation: https://helm.sh/docs/topics/provenance/
- My Helm Chart Git repository: https://github.com/christianhuth/helm-charts