Verifying Helm Charts for improved security

Verifying Helm Charts for improved security
Photo by FlyD / Unsplash

Helm Charts are the go-to way of packaging and sharing applications in the Kubernetes ecosystem. With so many people using them, they could be a security risk if attackers get theirs hands on the Chart. It's important for users to check that a published package is intact and from a trusted source.

💡
If you want to learn how to verify your own Helm Charts check this article.

This article will show you how to verify a Helm Chart and help you trust the published package more.

What are we going to verify?

The command you need to verify Helm Charts is really straightforward: helm verify. This command checks if the Helm Chart has been signed by its creator using a private key. It uses the creator's public key to verify the signature of the Chart, so you can be sure it hasn't been tampered with or modified.

How to use helm verify

There are two main ways to use helm verify. You can use it against a locally stored Helm Chart or a remote one (which downloads the Helm Chart and runs the verification locally too).

In this tutorial, I'll be using a Helm Chart that I've put together myself: baserow in version 2.4.2. You can find the source code for this Helm Chart in my Git repository.

Step 1: Add the Helm Repository

OK, let's get started by adding the Helm repository and fetching the current list of Helm Charts:

helm repo add christianhuth https://charts.christianhuth.de
helm repo update

Step 2: Import the Public Key

To verify a Helm Chart, we just need to import its corresponding public key into our local keyring. To do this, we download the public key first:

curl -0L http://charts.christianhuth.de/public.key > christianhuth.pub

Next, we'll import the public key using GPG into the keyring:

gpg --import christianhuth.pub

The GPG tool now stores public keys in the pubring.kbx file, rathen than the older pubring.gpg file. Helm, on the other hand, expects the old version. So, we have to convert the key into a format that is supported by Helm:

gpg --export > ~/.gnupg/pubring.gpg

Step 3: Download the Helm Chart

You can now download the Helm Chart locally using the helm pull command. Just remember to add the --prov flag to download the provenance file as well:

helm pull christianhuth/baserow --version 2.4.2 --prov

You should now see the Helm Chart as a *.tgz file and the corresponding .prov file when you display the content of your current directory:

baserow-2.4.2.tgz  baserow-2.4.2.tgz.prov

If you forgot to add the --prov flag, you'll get the following error when you try to verify the Helm Chart next.

Error: could not load provenance file baserow-2.4.2.tgz.prov: stat baserow-2.4.2.tgz.prov: no such file or directory

Step 4: Verify the Helm Chart manually

Now that everything is set up correctly, we can start verifying the downloaded Helm Chart with the helm verify command. Simply point the command at the Helm Chart in the *.tgz format:

helm verify baserow-2.4.2.tgz

If everything has worked, you should see something like this:

Signed by: Christian Huth
Using Key With Fingerprint: EE24F8BB6D099E78FD704F83B5ECDBCDDD485D0E
Chart Hash Verified: sha256:a1555a55e408e49dd03df4a2abde9a3eb9feb7adb82812884c8dd3f4bd700064

If there's a problem with your setup or the Helm Chart has been altered, you'll see an error message like this:

Error: openpgp: invalid signature: ECDSA verification failure

Step 5: Verify the Helm Chart automatically

As well as checking the Helm Chart with the helm verify command, you can also use the --verify flag to verify the Helm Chart automatically before you use it. You can use the --verify flag on commands like helm pull, helm install or helm upgrade:

helm pull christianhuth/baserow --verify --version 2.4.2
Signed by: Christian Huth
Using Key With Fingerprint: EE24F8BB6D099E78FD704F83B5ECDBCDDD485D0E
Chart Hash Verified: sha256:a1555a55e408e49dd03df4a2abde9a3eb9feb7adb82812884c8dd3f4bd700064

Conclusion

It's pretty simple to verify the integrity of a Helm Chart. Just import the matching public key and then run helm verify or add the --verify flag to a helm command like helm pull, helm install or helm upgrade.


Reference