Code Distribution Integrity Assurance using Helm Provenance and Integrity

[bukasaaime]

Request Summary:

Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, Keybase.io and well-respected package managers, Helm can generate and verify signature files.

Implementing Helm Provenance and Integrity for Mojaloop installation packaged chart, will constitute Mojaloop cryptographic Code Signing.

Request Details:

• Deadline: Soon after DA meeting / discussions.
• Impact (Teams): Code Quality Security, DevSecOps and DevOps
• Impact (Components): Mojaloop codebase and documentation

Artifacts:

• Artifact to consider @bukasaaime , @mdebarros

https://helm.sh/docs/topics/provenance/

Dependencies:

• If Applicable

Accountability:

• Owner: @godfreykutumela
• Raised By: @bukasaaime

Decision(s):

• Approved By:

Details

• Actual decision made as a result of discussion

Follow-up:

• Actions to implement the decisions

[bukasaaime]

Update

We have done a proposal to have Mojaloop helm release code signed using

1. Keybase.io GPG keys,
2. Kubernetes commands
3. Helm package manager,
4. Helm chart(s),
5. Github,
6. Circle CI,
7. npm packages
8. Docker images, flags and hash values.
9. The Mojaloop customization trough external configs (including the default config),
10. mojaloop.io site for publication of Mojaloop helm release versions and hash values.
11. signature verification by a Mojaloop user
12. installation by Mojaloop user.

We are seeking approval from the DA.

[bukasaaime]

Keybase.io is an elegant solution for hosting GPG keys for establishing Provenance and managing developers chain of trust. It is recommended by the Helm documentation https://helm.sh/docs/topics/provenance/ and is optional. It is open source, very secure and used by many developers around the world.

[godfreykutumela]

@MichaelJBRichards This is now approved by the DA for testing and implementation on the condition that appropriate documentation explaining this is included in the standard section of the community guides. The helm release note will reference this only on the first release and thereafter removed.

Implementation Plan:

• Release initial documentation by 30 August 2022
• Start testing the solution from 29 August 2022 - @bukasaaime will be the lead for the security team and I guess @mdebarros for the DevOps team
• Once testing is completed, then we can aim to implement this with the next helm release - @mdebarros and @elnyry-sam-k to advise on the helm release schedule

[bushjames]

@elnyry-sam-k to raise this on the platform quality and security workstream backlog and report back to DA when appropriate.

[godfreykutumela]

Noted, @bushjames, I am sharing some of the artefacts we developed for this here! I used OpenPGP recently on another open-source project and it works fine with Github @elnyry-sam-k .
Mojaloop code signing process - 16052022.pptx
Mojaloop Code Signing - Open Source Options to discuss.docx

[bushjames]

discussed during DA call 2024-10-16 0900 UTC:

• review of documented options.
• actions:
  • @elnyry-sam-k to develop strategy for Mojaloop code/artefact signing as part of PQS workstream: What to sign and where? docker images, npm? CI?

[bushjames]

Targeted for PI-26 delivery by PQS workstream.