ArgoCD showing webmentiond synced to version 0.2.0 from the Helm repository.

I just released webmentiond-0.2.0 on GitHub , i.e. version 0.2.0 of my webmentiond Helm chart. I didn’t need to tag it or create a release myself. Instead, I used the chart-releaser action to automate it as I planned. All I have to do now is maintain a directory for each chart and bump the version in the appropriate Chart.yaml when I want to publish it. Then anyone can install it from the repository. Simple indeed.

What wasn’t simple was trying to set up GPG signing by following these steps:

  1. Create a GPG key (without a passphrase, to keep things simple).
  2. Export the secret key in binary format with gpg --export-secret-keys keyid.
  3. Encode the exported key as Base64.
  4. Put the key in a repository secret named GPG_KEYRING_BASE64.
  5. Add the key creation script from the charts-repo-actions-demo release workflow to prepare the required key files.
  6. Set sign: true in cr.yaml.

It failed when signing the charts, saying it ‘expected a public/private key’. I tried again with the ASCII version of the key, just to be sure, but it failed with a different error about the MSB of some tag. When I tried putting both the public and the private key (encoded as required) in the variable, I got the first error again. I decided to drop the idea.

I’m consoling myself with the reflection that chart integrity and provenance seems to be of little importance, given that verification is disabled by default.