From 2c9040aff7d9106558e3d3dd0612920c082cb5ad Mon Sep 17 00:00:00 2001 From: yxxhero Date: Thu, 18 Jun 2026 22:46:57 +0800 Subject: [PATCH] docs: use GitHub profile GPG key URL and add fingerprint verification Switch the Helm 4 provenance verification instructions to import the public key from https://github.com/databus23.gpg instead of the keys.openpgp.org keyserver and the per-release pubkey.asc asset, and add an explicit fingerprint check against the new release signing key (C5645EF47482257A1F806D2BEA17A2A206AFF8CD). Signed-off-by: yxxhero --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c82a9e02..3e4abd9d 100644 --- a/README.md +++ b/README.md @@ -57,15 +57,19 @@ The install script will skip the GitHub download and instead install from the `. Helm 4 verifies plugin provenance by default. This project publishes GPG-signed provenance artifacts (`.prov`) alongside release tarballs. To verify, import the project's public key into your keyring and install from a direct tarball URL (git repo URLs do not support provenance verification): ```shell -gpg --keyserver hkps://keys.openpgp.org --recv-keys 6D1B9CFF340869384450267300A28D1CC7CD8D7A +curl -sL https://github.com/databus23.gpg | gpg --import +gpg --list-keys --with-fingerprint EA17A2A206AFF8CD +# Expected fingerprint: C5645EF4 7482257A 1F806D2B EA17A2A2 06AFF8CD helm plugin install https://github.com/databus23/helm-diff/releases/latest/download/helm-diff-linux-amd64.tgz ``` -For offline/airgapped environments, download the public key from the GitHub release assets on a connected machine, transfer it, and import it locally: +For offline/airgapped environments, download the public key from the maintainer's GitHub profile on a connected machine, transfer it, and import it locally: ```shell -curl -sL https://github.com/databus23/helm-diff/releases/latest/download/pubkey.asc -o pubkey.asc +curl -sL https://github.com/databus23.gpg -o pubkey.asc gpg --import pubkey.asc +gpg --list-keys --with-fingerprint EA17A2A206AFF8CD +# Expected fingerprint: C5645EF4 7482257A 1F806D2B EA17A2A2 06AFF8CD ``` The public key fingerprint is published in the notes for each GitHub release.