# helm-sigstore **Repository Path**: Sigstore/helm-sigstore ## Basic Information - **Project Name**: helm-sigstore - **Description**: Plugin for Helm to integrate the sigstore ecosystem - **Primary Language**: Unknown - **License**: Apache-2.0 - **Default Branch**: main - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2023-09-27 - **Last Updated**: 2025-09-30 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # helm-sigstore [![Build Status](https://github.com/sigstore/helm-sigstore/workflows/ci/badge.svg?branch=main)](https://github.com/sigstore/helm-sigstore/actions?workflow=ci) [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/helm-sigstore)](https://artifacthub.io/packages/search?repo=helm-sigstore) [![SLSA](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/) Plugin for [Helm](https://helm.sh/) to integrate the [sigstore](https://sigstore.dev/) ecosystem. Search, upload and verify signed Helm Charts in the [Rekor](https://github.com/sigstore/rekor) Transparency Log. ## Info helm-sigstore is developed as part of the [`sigstore`](https://sigstore.dev) project. We also use a [slack channel](https://sigstore.slack.com)! Click [here](https://join.slack.com/t/sigstore/shared_invite/zt-mhs55zh0-XmY3bcfWn4XEyMqUUutbUQ) for the invite link. ## Installation Use the following steps to build the `helm-sigstore` binary and install it as a Helm Plugin ### Building On a system with [Go](https://golang.org/) installed, execute the following to download the source and build the plugin ```shell $ mkdir -p $GOPATH/src/github.com/sigstore $ cd $GOPATH/src/github.com/sigstore $ git clone https://github.com/sigstore/helm-sigstore.git $ cd helm-sigstore ``` Build the plugin ```shell $ make ``` The plugin binary will be available in the `bin` directory ### Plugin Installation Before installing `helm-sigstore` as a Helm plugin, ensure that Helm is installed and configured on your machine. Then install the plugin. ```shell $ helm plugin install https://github.com/sigstore/helm-sigstore ``` Confirm the plugin is available in Helm ``` $ helm plugin list NAME VERSION DESCRIPTION sigstore 0.1.0 This plugin integrates Helm into the Sigstore ecosystem. ``` With the installation complete and successful, the plugin can be invoked through the `helm sigstore` command ```shell $ helm sigstore Integrates sigstore with Helm Usage: sigstore [command] ... ``` ## Quickstart This brief example demonstrates how to upload a signed Helm chart to Rekor and validate the entry ### Upload a Signed Helm Chart ``` $ helm sigstore upload Created Helm entry at index 6821, available at: https://rekor.sigstore.dev/api/v1/log/entries/b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9 ``` _NOTE_: The provenance file must be located in the same directory as the packaged chart. > To generate a provenance file, please consult the official documentation of [Helm Provenance and Integrity](https://helm.sh/docs/topics/provenance/). ### Verify the Signed Chart from Rekor Use the same signed Helm chart from the prior section to verify the entry in Rekor ```shell helm sigstore verify Chart Verified Successfully From Helm entry: Rekor Server: https://rekor.sigstore.dev Rekor Index: 6821 Rekor UUID: b30a142ef6c8b0480cd3e081fc99bc3d2a1a50ef60f68749c983a1479be6c4b9 ``` See the [Usage documentation](USAGE.md) for detailed explanations and additional options. ## SLSA Provenance This project generates SLSA provenance for its releases! This enables you to verify the integrity of the downloaded artifacts and ensure that the binary's code really comes from this source code. To verify the provenance of the release binaries, please follow the instructions [here](https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance). ## Security Should you discover any security issues, please refer to sigstores [security process](https://github.com/sigstore/community/blob/main/SECURITY.md)