From fb41e5b9269e8250687b3aa076efcf8ef0d39e50 Mon Sep 17 00:00:00 2001 From: Itay Grudev Date: Thu, 22 Feb 2024 04:19:19 +0200 Subject: [PATCH 1/3] Added PGP Key for Helm provenance Signed-off-by: Itay Grudev --- .github/workflows/release-publish.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index d2451f81e..5077a05e5 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -27,6 +27,11 @@ jobs: git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - name: Import PGP Private Key + run: | + echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg + echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > passphrase-file.txt + - name: Set up Helm uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f # v4.0.0 with: @@ -36,6 +41,10 @@ jobs: uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + CR_KEY: helm-charts+no-reply@cloudnative-pg.io + CR_KEYRING: keyring.gpg + CR_PASSPHRASE_FILE: passphrase-file.txt + CR_SIGN: true CR_SKIP_EXISTING: true CR_GENERATE_RELEASE_NOTES: true CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-v{{ .Version }}" From 2a3d5ad0ea26570d6d2c8195fc9ea0bf3fb3068b Mon Sep 17 00:00:00 2001 From: Itay Grudev Date: Thu, 22 Feb 2024 12:06:32 +0200 Subject: [PATCH 2/3] Added Public Key to the repository Signed-off-by: Itay Grudev --- provenance.gpg | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 provenance.gpg diff --git a/provenance.gpg b/provenance.gpg new file mode 100644 index 000000000..944a40b82 --- /dev/null +++ b/provenance.gpg @@ -0,0 +1,83 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGXXEuEBEADbLS7rJCSmZlrNmXvy0WPkfri4QEVZeGQQPcTCErAxm6b5dLnL +APZQfRRueiBtR784MPynsaz3358QMy54pEvgMoLruhWIZgSB6k+qQurmDj+i/W6f +inE5/Ekt7sa3C3CmPSQDYIL9MqkFBYtT8HMLCrDLJjsjU675/2SA47Dn63IHAMym +uEFuCWKwpWjP74+5F71AM9DYNLCZ/uS0Cqn/I7taOjhUQqBMPNl0BSzFnnrggMYg +W6uQDXWK3B6o7QBZR33SX9jknUQ3ZXCAW6wgGSxr8vHBhYnRyh8a6FNRdeGnWQEx +jYqg3r/4t8ObYus7hg/WEpEHd6QK4wujjqU578zsuruByWLpO/j7gKrpwVI7CrK9 +AOEm2hQrLsgLMi/dqmubVfcejgLhEoMnqzibKuGMK0v48nA0ab148UTgp8cWK5LB +1r66JDbgqVfUvN2PlgbnKkeNPX1aQVptRHQ+JU5DPEYjSau6dMn3i0IutJqePzoH +Wz6HrBULFOBwF/mIu38gQP7WB+YwMriz7sxYZjK6sl3Y3q2jpznG1tpObVYVki2p +sD3dila5AAY0hiu62kyVGA/JGaCAkS7HyEmEr3Y9lGnmeodCAOJy6SWJlJ2jTUlv +Xizw7U04w78XBDahMCcou3TmJzkQQ9hethC9QG+rpLQXJoVX92yZwtSC3QARAQAB +tHNDbG91ZE5hdGl2ZVBHIEhlbG0gQ2hhcnRzIChBdXRvbWF0aWNhbGx5IFNpZ25l +ZCBDaGFydHMgdmlhIEdpdEh1YiBBY3Rpb25zKSA8aGVsbS1jaGFydHMrbm8tcmVw +bHlAY2xvdWRuYXRpdmUtcGcuaW8+iQJUBBMBCgA+FiEEaZh15ou/yYAMvYau48aP +k7UMXsAFAmXXEuECGy8FCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +48aPk7UMXsCfZA/7Bj6d/ZiXoKvz51V+l9TvDw4uuagiBTb+rKfwBlKfKuldd+Ld +p3ZTVqEJM/d+fCRg7+zatPLF5EQCdSa159NMw91s+HnsrJwcs6bfZN7tVR4OfVOe +7cqK/BwW+P+By8W9STI2xUZaSObA5S0mjvuLWCucq7vzQDtCqCPNkHCkcUN/D5q7 +Lv1NIUKyS/WSl2iGiaGEHpYprSakKhqxfj/wRHWO9bHpAKI2wvCgP6SGQ9u596X2 +hIDmLCRY58jZywWwUC99Ii0660284FChCdNdr1G+p/Wot0cUrX3RA0OPYs4hGiCx +N4WHZvMxbMo5ZQ72xSGdId3hT0w4JGeistbAbnhMpQJrI4pHE1Hh9Jd/nzKKBSrQ +3ZAqFM3Lkvy1LKcwv9o7SKhW3mB4+dyYqkGBTv8X9Uq1m/rYyM8zXeN/Q92d5B3d +lAuTrxyXMosUVQ59EdYvelhqyieGMZ/MBIMuv3R1/P+BRg7tDiPb4fq7MhU7nHve +ZC5jN1TAM2Z852iiQQonUE/gfSmD7l5Vqk48kqLKk3jNnbnxSDKuoEdxxzH7mXSU +Yc+uUSy85Age5iTcdZZ9lDJ3nOoj5xmgA60Vzl0CcP3l0YnOMfDwpc/fQ2Jj3Nd9 +zbgYvOKbyA5tQ2KtTOPNn3gALEj6Icwd/F/nCSrkpNwb4s0JB7WDX5O5eoWJATIE +EAEIAB0WIQRCKLl468bsh6Nzr4NYyuqPHMhQPgUCZdcVvQAKCRBYyuqPHMhQPlCt +B/IC5WhdcvQXrJtJ36XTdnwbx6uHF07PMzKm9aVhfmMcicLwnAsrolAkCXtjVng8 +UDPi89KcQDSPw4fcm1NIlyqs5ZyG5EncTr0WAFhrxGGgAs+NWiNFHB2pBkmKpt+p +PMr5CZgGqH4MgOtUpMXH1Vb21b8I1zST2tvqZ+34c6yPGbg/pz3yGuMyDmcwBmw7 +iyQahB9zkpYUI5hx+MVnvSqiQXFc6WZaO0eIJDwGv45WdL2g2DCYPf2KweFaVyWC +sY2cqf7vZfPujfkBFFZklU5GSkBZll+g+V4VD9XZQ/qQgTyPeuxP9wQhytDYnIOf +37lEfqcF794KCLV1oZAsMp6JAjMEEAEKAB0WIQQiaN4mLn+p64fo6pwKXEeyxVyu +tQUCZdcbfgAKCRAKXEeyxVyutSKuEACCrRMN14EJvc7hLs+LBn3ihhhqiu2brgw+ +BAAtpTlnGxc78laODj1vaRbNcnfpbl3gMeSD2CqRtj4jLoCg3Rl6WkVq993Nf3KV +zjXsaTTqagPnd+B+7QlTYfkceGgCjlLsZw6EkR40WqXuig7m0GUq0d5updWdtkID +/U6U7flcZA3n5vJQJVbZPGx1AQuCd7xjjyZFjI7ghQvBy4lIfdJPH8VQHjPtfssr +NDIycL/AlirqMjPEEOWYEXgqcpEX44nOluEdTuXRsOk9m4aouZPazWw3IzbYWfrh +0HRsW/QzIWHV1v1e1OKS9Vfbz24kuk+J89Ula76KslB31vR1y8Y1inL9YeDt0BEW +xNRdw6E15kWcpSjp6GmDBLPwBRgYG9UZ5MtQc7tg39m3DWD9NJCRxRR8hCtdANmF +SgWfELbrvt9OfzmgCq3BYTfRrKYuiMZu1dfN3+sv4BnC/iTMe2GtTBUDaWGXBOCF +3/CNgjaI4AfkiY8irgYJhxMhzednSqDnpwZQFB1RpHAouyKQ3gYsHiDds4lauCQT +PvPpa1yGN0HaySzbjsdQV/o+aI5g41t0YETC9CX5FzowKHj1r5ZEKRGDsxX4Ruqg +ZQ6GpEEkyaxOhYoGjOA6bG7G0evjBaGlLX1vRbq6Oy+6q3RJiKa0L2Fv7FD2hpo4 +JI7ot4OOXLkCDQRl1xLhARAA8hviIYBPp00JYc1ZEPNW7NqfN5JPSk0RMabV17sv +wggVfc/mgFsx9OrZ6LEphMZaeP4k1IIRilUGBuMzsvIiGu6QCgp6X27TeHaT2W/u +WxHA5tH3E+hBX053t1epdl3ZvviW0ylJCCwecEoZukbLVUqS4rt7MZNeDZI5SDhU +tHMqTlIA5xVCtJQFAuyn2IAW+SbSKx4fY05joXmcvPRLkLqUOJJyWecMUqdmYi9t +56yl33n+27nOVm1tJq1Jt0UpAPw4NXTaebxNAZZOciwjX14jphCKvVpbQsER6yg3 +swA4vrugf/Ig7RpuDqdi4bYqmwGjPUR6jq34XsId2KUn3Xxrme8uICHcdgycjIwx +vUWG6I9VqYv0qirgVU9JJ/ly9zf38LK28rxPkSefwW4gpcp+YKoKGDTGvjqzE28u +B8wPl0mzrViem+lnDgxRPFsRKm3+bLBL7Byk9i02pLxM+gEyrUexI5IGiYJ+zYEK +hJ1n3mAwz/pvoXw69UXNPf7CJ5ljeP860nwJWUaxspj7FLg7cBOCYt3Z31LCf9FX +Ty4EUUWAP5ikrgs8WlWAiV6DWNiUX4gIHOaUPvafY7QoMsDsajRolS70q8eTVz02 +Rta7UW4YP5WqocoJ1xFDLF43JyK5tX+l4Lqt35X8eGiawQnbXPbzBiPtUqy3ZycZ +cEkAEQEAAYkEcgQYAQoAJhYhBGmYdeaLv8mADL2GruPGj5O1DF7ABQJl1xLhAhsu +BQkSzAMAAkAJEOPGj5O1DF7AwXQgBBkBCgAdFiEE2/kVNvfboEsXjVCpNjzSe0Xa +3gAFAmXXEuEACgkQNjzSe0Xa3gB4nA/+L7CBpJvM1sbwk4HdKI/qhORtxbAlP5LY +QT6svWjUDZhDZwODPexlZ6PO957+4ClV/pa1vMnJ6C6c2jlI+V1wpiGXfKV3MdQU +L0yzOk8xB9CoJeGs9t9NxQaHOWrkFhW39odEb4cxeLYvE2vAQcb4VpK5BtYCbr/K ++pBWHDhHJbSKtufKfWJW4k0yJhMto0KcHYcLMsSiATHH84Zf3Mh94QE6Ib8qmhQv +N+W1XA/PzA6/7/5FmHIW/PFnUKTlf5cpwqzXWkV9SdGM5oHZFns1zev/0IdDBh5y +a2itEtB0qSx5zdjDQ6T0cE3oZnS8U3wIchlMaDAXEECdTKMB61Jb0MOoYOXTT/v6 +0t+j/Xh89G7N2M6JWXQu0mepnrryiOdh1J7s7EHhqsgLZQ68TFBaGlR7ja0ZEdK6 +u5csPI6+UJODx1tKskKHAovy/z5444j7TB6HWOR/3JZcgUPdQegL2+gEQNqyayWH +YrLuQxrmJsWCSCX6GX/4K0E//MgFTLNiHMZLMGOiYfBsbbnVS9A/swygY96Z63aY +DaR/VBp2Z6R8qh0ZJJBoaQzSkkbcGcHltQpI+wFZp4DMFpeVjaHFZCDVdag3CQfD +MZ4n7QcGPAoIvrQ5Te8Ftn9PWnTBA+h8U+l5ry+a+zKoSU5aOU+v9fAUFYGVXnfw +VDKknTCJi92oDQ/8DO095ePfqbagRp6v8FoR0vg7XgywSGhII88488OYZ++ErAme +h4rhYKKg8k6IjRj0mumGDtaFItAJx1U9+jwtqOAhCvYQbCKlUSsNj6+NWrdcU3Ic +LMBcb8Zb/MF5hs4ZpyrkixWKP35HnAqHs1nAGlRsfAVGJk6lLtuCZvMPEomUfUW4 +vUt9Pw0v8HFHXlq/OYk752XX4JDiReqa5Mz1MoeNbHJ9OgHGGyoUtKmeAp5Dh/FD +O6mU1ZMyWGkibZGtr7x87JBwuEMBlTldqs8e/O9Os4OSnx8VdDmmpeN84as+Xl/t +9gHYnd4HgSjH83oV+dXC7jNwjfucyFTyW9na78qxJkf31UrxHyq2WwSvDvS6CuhH +iSzJSx4/NOhEGjW+O0Cfazc1Jwpgx/1fcT6VijCsA7lv3uLfgF98la5Dv4QFBYA7 +oIRmJO+W1jfsyMwCc2j7va0iCkREjRY/8fsaT8ywQZLYLWzPHFreL/+JLSSMT7F2 +mAkr3qA+DLrudLxov+OYUwMoau12ImBvc1QSX05EAgaCZp/OgkKfqnhMQQUKMp+X +oAOFddo61el+ctOUHo0M4pVkew9MLkOd3rejeTP3eAmQLm8RzAcRbkd4yL3bNdiN ++gyAqqx+pNEQ7HAI/aqL1s+/vvXJHM25NF8uwkzPsrKbUHNSFiUWEmaxSts= +=ZWMG +-----END PGP PUBLIC KEY BLOCK----- From 1acb3c4a725c80c4e5c528835eefc0bf56af1b7e Mon Sep 17 00:00:00 2001 From: Itay Grudev Date: Thu, 22 Feb 2024 12:25:27 +0200 Subject: [PATCH 3/3] Improved PGP and passphrase security by storing them on /tmp and wiping them afterwards Signed-off-by: Itay Grudev --- .github/workflows/release-publish.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 5077a05e5..e1ac81667 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -29,8 +29,8 @@ jobs: - name: Import PGP Private Key run: | - echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg - echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > passphrase-file.txt + echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output /tmp/keyring.gpg + echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > /tmp/passphrase-file.txt - name: Set up Helm uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f # v4.0.0 @@ -42,13 +42,17 @@ jobs: env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_KEY: helm-charts+no-reply@cloudnative-pg.io - CR_KEYRING: keyring.gpg - CR_PASSPHRASE_FILE: passphrase-file.txt + CR_KEYRING: /tmp/keyring.gpg + CR_PASSPHRASE_FILE: /tmp/passphrase-file.txt CR_SIGN: true CR_SKIP_EXISTING: true CR_GENERATE_RELEASE_NOTES: true CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-v{{ .Version }}" + - name: Securely delete the PGP key and passphrase + if: always() + run: shred --remove=wipesync /tmp/keyring.gpg /tmp/passphrase-file.txt + - name: Login to GitHub Container Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: