VerifyChart takes a path to a chart archive and a keyring, and verifies the chart. It assumes that a chart archive file is accompanied by a provenance file whose name is the archive file name plus the ".prov" extension.
(path, provfile, keyring string)
| 487 | // It assumes that a chart archive file is accompanied by a provenance file whose |
| 488 | // name is the archive file name plus the ".prov" extension. |
| 489 | func VerifyChart(path, provfile, keyring string) (*provenance.Verification, error) { |
| 490 | // For now, error out if it's not a tar file. |
| 491 | switch fi, err := os.Stat(path); { |
| 492 | case err != nil: |
| 493 | return nil, err |
| 494 | case fi.IsDir(): |
| 495 | return nil, errors.New("unpacked charts cannot be verified") |
| 496 | case !isTar(path): |
| 497 | return nil, errors.New("chart must be a tgz file") |
| 498 | } |
| 499 | |
| 500 | if _, err := os.Stat(provfile); err != nil { |
| 501 | return nil, fmt.Errorf("could not load provenance file %s: %w", provfile, err) |
| 502 | } |
| 503 | |
| 504 | sig, err := provenance.NewFromKeyring(keyring, "") |
| 505 | if err != nil { |
| 506 | return nil, fmt.Errorf("failed to load keyring: %w", err) |
| 507 | } |
| 508 | |
| 509 | // Read archive and provenance files |
| 510 | archiveData, err := os.ReadFile(path) |
| 511 | if err != nil { |
| 512 | return nil, fmt.Errorf("failed to read chart archive: %w", err) |
| 513 | } |
| 514 | provData, err := os.ReadFile(provfile) |
| 515 | if err != nil { |
| 516 | return nil, fmt.Errorf("failed to read provenance file: %w", err) |
| 517 | } |
| 518 | |
| 519 | return sig.Verify(archiveData, provData, filepath.Base(path)) |
| 520 | } |
| 521 | |
| 522 | // isTar tests whether the given file is a tar file. |
| 523 | // |
searching dependent graphs…