fix(provenance): use flow style for arrays to avoid PGP dash-escaping#31997
Open
karimzakzouk wants to merge 1 commit intohelm:mainfrom
Open
fix(provenance): use flow style for arrays to avoid PGP dash-escaping#31997karimzakzouk wants to merge 1 commit intohelm:mainfrom
karimzakzouk wants to merge 1 commit intohelm:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates provenance metadata serialization to prevent OpenPGP clearsign “dash-escaping” from corrupting YAML list fields (e.g., keywords, sources) in generated .prov files.
Changes:
- Add
provenance.MarshalMetadatato force YAML sequences into flow style ([a, b]) before signing. - Switch
helm package --signto use the new metadata marshaler when producing.provfiles. - Add unit tests covering flow-style output and ensuring the signed output doesn’t contain the double-nested
- -list artifact.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| pkg/provenance/sign.go | Introduces MarshalMetadata and recursive node-walk to set flow style on sequences. |
| pkg/provenance/sign_test.go | Adds tests validating flow-style arrays and clearsign output behavior. |
| pkg/action/package.go | Uses provenance.MarshalMetadata instead of direct YAML marshaling when signing charts. |
| go.mod | Promotes gopkg.in/yaml.v3 to a direct dependency. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
52d1394 to
66e50f5
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Fixes helm#31866 This fixes an issue where array fields like keywords and sources were double-nested ('- - foo') when serializing Chart metadata into provenance files. By forcing flow-style YAML arrays for these embedded blocks we successfully bypass openpgp cleartext dash-escaping. Signed-off-by: Karim Farid <karimzakzouk69@gmail.com>
66e50f5 to
f512163
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #31866
What this PR does / why we need it:
When a
Chart.yamlcontains list fields likekeywordsorsources, the generated.provfile ends up with double-nested arrays (- - foo). This happens because PGP clearsign dash-escapes any line starting with-, and the default YAML marshaler uses block-style arrays where every item starts with-.Fix is to serialize sequences in flow style (
[foo, bar]) so no lines start with-and PGP has nothing to escape.Special notes for your reviewer:
provenance.MarshalMetadatainsign.gowhich usesgo.yaml.in/yaml/v3to recursively set flow style on all sequence nodes.go.yaml.in/yaml/v3moved from indirect to direct ingo.mod..provoutput afterClearSignruns, not just the metadata bytes before signing.If applicable: