func Digest(in io.Reader) (string, error)
Digest hashes a reader and returns a SHA256 digest.
Helm uses SHA256 as its default hash for all non-cryptographic applications.
func DigestFile(filename string) (string, error)
DigestFile calculates a SHA256 hash (like Docker) for a given file.
It takes the path to the archive file, and returns a string representation of the SHA256 sum.
The intended use of this function is to generate a sum of a chart TGZ file.
PassphraseFetcher returns a passphrase for decrypting keys.
This is used as a callback to read a passphrase from some other location. The given name is the Name field on the key, typically of the form:
USER_NAME (COMMENT) <EMAIL>
type PassphraseFetcher func(name string) ([]byte, error)
Signatory signs things.
Signatories can be constructed from a PGP private key file using NewFromFiles or they can be constructed manually by setting the Entity to a valid PGP entity.
The same Signatory can be used to sign or validate multiple charts.
type Signatory struct {
// The signatory for this instance of Helm. This is used for signing.
Entity *openpgp.Entity
// The keyring for this instance of Helm. This is used for verification.
KeyRing openpgp.EntityList
}
func NewFromFiles(keyfile, keyringfile string) (*Signatory, error)
NewFromFiles constructs a new Signatory from the PGP key in the given filename.
This will emit an error if it cannot find a valid GPG keyfile (entity) at the given location.
Note that the keyfile may have just a public key, just a private key, or both. The Signatory methods may have different requirements of the keys. For example, ClearSign must have a valid `openpgp.Entity.PrivateKey` before it can sign something.
func NewFromKeyring(keyringfile, id string) (*Signatory, error)
NewFromKeyring reads a keyring file and creates a Signatory.
If id is not the empty string, this will also try to find an Entity in the keyring whose name matches, and set that as the signing entity. It will return an error if the id is not empty and also not found.
func (s *Signatory) ClearSign(chartpath string) (string, error)
ClearSign signs a chart with the given key.
This takes the path to a chart archive file and a key, and it returns a clear signature.
The Signatory must have a valid Entity.PrivateKey for this to work. If it does not, an error will be returned.
func (s *Signatory) DecryptKey(fn PassphraseFetcher) error
DecryptKey decrypts a private key in the Signatory.
If the key is not encrypted, this will return without error.
If the key does not exist, this will return an error.
If the key exists, but cannot be unlocked with the passphrase returned by the PassphraseFetcher, this will return an error.
If the key is successfully unlocked, it will return nil.
func (s *Signatory) Verify(chartpath, sigpath string) (*Verification, error)
Verify checks a signature and verifies that it is legit for a chart.
SumCollection represents a collection of file and image checksums.
Files are of the form:
FILENAME: "sha256:SUM"
Images are of the form:
"IMAGE:TAG": "sha256:SUM"
Docker optionally supports sha512, and if this is the case, the hash marker will be 'sha512' instead of 'sha256'.
type SumCollection struct {
Files map[string]string `json:"files"`
Images map[string]string `json:"images,omitempty"`
}
Verification contains information about a verification operation.
type Verification struct {
// SignedBy contains the entity that signed a chart.
SignedBy *openpgp.Entity
// FileHash is the hash, prepended with the scheme, for the file that was verified.
FileHash string
// FileName is the name of the file that FileHash verifies.
FileName string
}