This is an automated email from the ASF dual-hosted git repository.
yuchaoran pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/yunikorn-site.git
The following commit(s) were added to refs/heads/master by this push:
new 4aa48e35e [YUNIKORN-1313] update release procedure for helm signing
(#246)
4aa48e35e is described below
commit 4aa48e35e1ca3fbcce2cc32bc8e1fa5bd9da507a
Author: Wilfred Spiegelenburg <[email protected]>
AuthorDate: Fri Dec 30 19:27:43 2022 +1100
[YUNIKORN-1313] update release procedure for helm signing (#246)
The procedure around the signing of the helm charts lacks details on how
to get the correct gpg key and where it is stored.
---
src/pages/community/release_procedure.md | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/src/pages/community/release_procedure.md
b/src/pages/community/release_procedure.md
index 0734dcd00..4d4d01562 100644
--- a/src/pages/community/release_procedure.md
+++ b/src/pages/community/release_procedure.md
@@ -237,13 +237,33 @@ This step is part of the release tool if the release tool
is used the packaging
If the release tool is **not** used the `Chart.yaml` and the `values.yaml`
must be updated manually.
The other option is to run the helm script against the generated source
directory as the tool does:
```shell script
-helm package --sign --key ${your_key_name} --keyring ${path/to/keyring.secret}
staging/<release-dir>/helm-charts/yunikorn --destination staging/
+helm package --sign --key <your_key_name> --keyring </path/to/keyring.secret>
staging/<release-dir>/helm-charts/yunikorn --destination staging/
```
-Signing the helm package requires a legacy PGP keyring. The PGP v2 keyring
must be converted to the legacy format.
+
+The key name provided in the `--key` argument must be contained in your key's
uid. The helm tool checks if the name provided is part of the key's uid via a
substring match.
+You can find all uids for your keys by executing:
+```shell script
+gpg --list-secret-keys
+```
+Signing the helm package requires a legacy PGP keyring. The GnuPG v2 keyring
is stored in a must be converted to the legacy format.
+It is not possible to use the new keybox (kbx) format. Please use the
following command to convert your keyring to the legacy gpg format:
+```shell script
+gpg --export >~/.gnupg/pubring.gpg
+gpg --export-secret-keys >~/.gnupg/secring.gpg
+```
+Note that you will be required to enter your passphrase for each secret keys
that is exported.
+The file that is created by exporting the secrect keys,
`~/.gnupg/secring.gpg`, is the path used in the `--keyring` parameter.
+
+All this combined will result in a similar command for signing the helm charts
when run from the top level of the checked out release repository:
+```shell script
+helm package --sign --key [email protected] --keyring ~/.gnupg/secring.gpg
staging/apache-yunikorn-1.0.0-src/helm-charts/yunikorn --destination staging/
+```
+
For more information please check [Helm
documentation](https://helm.sh/docs/topics/provenance/).
-Helm charts should be signed on release.
-Contrary to the source code tar ball signing, signing the helm charts requires
manual entry of the key password.
+Helm charts _must_ be signed on release.
+Contrary to the source code tar ball signing, signing the helm charts requires
manual entry of the key passphrase.
+There is no option to provide the passphrase any other way to the helm tool.
The helm package will generate two files:
- helm package: example `yunikorn-0.8.0.tgz`
- provenance or signature file: example `yunikorn-0.8.0.tgz.prov`
