At this time both Go 1.19 and 1.20 are supported. The version
specified in the go.mod file is the minimum version we expect Helm
to be compiled against. This is the oldest supported version to
support environments where others compile Helm. The Helm project
is using Go 1.20 to build Helm itself.
Updating to Go 1.19 also includes dealing with io/ioutil
deprecation and some additional linting issues around staticcheck.
All the staticcheck issues were in test files so linting was
skipped for those.
Signed-off-by: Matt Farina <matt.farina@suse.com>
Before this change, several of the potential errors during the process
of signing a package were skipped.
Crucially, `Close()`ing the ReadCloser from the gpg clearsigner is the call
which actually does the signing, and so has several points of failure
which are ignored; for example, if there's a problem with the format of
the key.
Also changes the error from messageBlock() to be propagated rather than
being swallowed, and adds a test for the case where a signer fails to
sign.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This commit replaces usage of github.com/ghodss/yaml with it's forked
version maintained by SIG community. The replaced library has
low-to-none support activity unlike the latter. We believe the new
Helm branch could benefit from using the community-supported version on
a long-term run as yaml parser is a key component of Helm chart rendering
engine.
This commit locks sigs.k8s.io/yaml dependency version on 1.1.0 which
is backwards compatible with ghodss/yaml 1.0.0.
This change also resolves the outdated dependency version lock for
ghodss/yaml (currently 1.0.0) and makes it possible to port changes from
https://github.com/helm/helm/pull/6010 to dev-v3.
Signed-off-by: Oleg Sidorov <oleg.sidorov@booking.com>
This removes the requirement that a fetch or install command must
explicitly state the version number to install. Instead, this goes to
the strategy used by OS package managers: Install the latest until told
to do otherwise.
Closes#1198
This adds the --verify and --keyring flags to:
helm fetch
helm inspect
helm install
helm upgrade
Each of these commands can now make cryptographic verification a
prerequisite for using a chart.
This adds support for OpenPGP signatures containing provenance data.
Such information can be used to verify the integrity of a Chart by
testing that its file hash, metadata, and images are correct.
This first PR does not contain all of the tooling necessary for
end-to-end chart integrity. It contains just the library.
See #983
