Feedback

Chat Icon

Helm in Practice

Designing, Deploying, and Operating Kubernetes Applications at Scale

Provenance and Integrity in Helm Charts
80%

Signing Charts

First, you need to generate a GPG key pair if you don't already have one.

If you want to use the interactive method, simply run gpg --full-generate-key. We will use the non-interactive method here:

Create a file named gpg-key-params with the following content:

cat > $HOME/gpg-key-params <
Key-Type: 1
Key-Length: 2048
Subkey-Type: 1
Subkey-Length: 2048
Name-Real: John The Signer
Name-Email: user@company.com
Expire-Date: 0
%no-ask-passphrase
%no-protection
EOF

You can customize the following fields as needed:

  • Key-Type: Type of key (1 for RSA, which is common).
  • Key-Length: Length of the key in bits (2048 is a common choice).
  • Name-Real: Your real name.
  • Name-Email: Your email address.
  • Expire-Date: Expiration date of the key (0 means it never expires). It may either be entered in ISO date format (e.g., "20240612T000000") or as a number of days, weeks, months, or years after the creation date.

You can find more options in the GPG documentation.

Then, run the following command to generate the key:

gpg --batch --generate-key gpg-key-params

The execution of this command will output something like:

gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/D6C227C2ED137845170879DBC6F85C29D454C9B9.rev'

Where:

  • trustdb.gpg is the trust database file.
  • openpgp-revocs.d is the directory where revocation certificates are stored.
  • D6C227C2ED137845170879DBC6F85C29D454C9B9 is the key ID of the newly created key pair.

You can list your keys with:

gpg --list-keys

And you should see output similar to:

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2025-12-08 [SCEAR]
      D6C227C2ED137845170879DBC6F85C29D454C9B9
uid           [ultimate] John The Signer 
sub   rsa2048 2025-12-08 [SEA]

Modern GPG versions (2.1+) use a new keybox format (.kbx) by default (/root/.gnupg/pubring.kbx

Helm in Practice

Designing, Deploying, and Operating Kubernetes Applications at Scale

Enroll now to unlock current content and receive all future updates for free. Your purchase supports the author and fuels the creation of more exciting content. Act fast, as the price will rise as the course nears completion!

Unlock now  $15.99$11.99

Hurry! This limited time offer ends in:

To redeem this offer, copy the coupon code below and apply it at checkout:

Learn More
Previous Next