SonarQube Helm Chart PGP Signature/Provenance Layer

j.b · March 22, 2025, 10:46pm

Hello,

I am trying to deploy SonarQube server using helm charts.
I noticed that the helm chart for Sonarqube is not signed and nor does it have a link to the PGP key.

I am using this link to download the chart:
Artifact Hub Link

Would it be possible for the team maintaining the chart to add a signature/provenance layer to it?
Helm Provenance

For example as done in this chart:
Example

That way every time a helm pull , upgrade or install command needs to be run, the --verify flag can be used to check the integrity of the helm chart package.

jeremy.cotineau · March 31, 2025, 12:11pm

Hello @j.b thanks a lot for this feedback, this is indeed a very good feature we could implement.

I’ll create a ticket to track the progress of it. Nonetheless please do not expect an ETA for now.

Regards,
Jérémy.

Colin · May 8, 2025, 9:37am

For posterity, here is that ticket: SONAR-24735

jonesbusy · May 15, 2025, 12:33pm

I think it’s also related to Provide helm-chart-sonarqube to OCI compatible registry

Since OCI provide a way to attach artifact together (like SBOM, attestation etc…)

Topic		Replies	Views
Helm chart manage by sonarqube Suggest new features	5	4250	May 6, 2021
Sonarqube Helm Chart with Developer Edition SonarQube Server / Community Build sonarqube , scanner	2	1407	August 30, 2022
Can the SonarQube Helm chart from this GitHub repository be used in a production environment SonarQube Server / Community Build	2	201	October 23, 2023
SonarQube helm installation does not suceed SonarQube Server / Community Build	3	3574	August 2, 2019
Helm Chart: Sonarqube quality profiles not found SonarQube Server / Community Build	1	750	May 16, 2019

SonarQube Helm Chart PGP Signature/Provenance Layer

Related topics