snazy opened a new issue, #3086: URL: https://github.com/apache/polaris/issues/3086
### Is your feature request related to a problem? Please describe. `helm package` produces a non-reproducible tarball. The archive entries' timestamps are _always_ set to the current timestamp, aka the `helm package` invocation timestamp. There is sadly no way to pass tar or gzip options to `helm package`. For Polaris releases, we need a _signed_ Helm package, producing a `.prov` file, which contains more information than "just" the cryptographic signature ([example contents here](https://github.com/snazy/helm-gpg/actions/runs/19240703985/job/55002364031#step:7:8)). Having said that, it's not sufficient to "just" replace `helm package` with a manual `tar`+`gzip`+`gpg` command chain. ### Describe the solution you'd like _No response_ ### Describe alternatives you've considered _No response_ ### Additional context _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
