How to automate helm package --sign non-interactively in bash

8/23/2018

I am writing a bash script on a machine without expect. The script automates the build of a helm (v2.9.1) chart.

I've got to the part in the script where it runs a

helm package --sign --key 'mykey' --keyring 'path/to/keyring' -d chartdir chart

and because helm prompts for the passphrase of the gpg key I created in order to use provenance files (a requirement), I cannot script around the soliciting of the passphrase, which I would like to prompt for separately as the script is part of a CI/CD build chain.

I have tried using

yes $promptedPassPhrase | helm package --sign...

and I got

xrealloc: cannot allocate 18446744071562067968 bytes (237568 bytes allocated)

I also tried plain old

echo $promptedPassPhrase | helm package --sign...

and I got

Error: inappropriate ioctl for device

I also tried script and got the same response. As I do not have expect on the server, I cannot expect my way round it, so I'm stumped as to how to automate the helm package command and am not going to use a key without a passphrase as it is bad practice.

-- volvox
bash
gnupg
kubernetes-helm

1 Answer

5/30/2019

I don't know how long this has been the case, or exactly which versions this works on, but this doc page says:

If your PGP private key has a passphrase, [...] You can set the HELM_KEY_PASSPHRASE environment variable to that passphrase in case you don't want to be prompted to enter the passphrase.

This works for me on v2.13.1. It looks like it was added in October of 2018, so my guess is that it was first available in v2.12.0-rc.1.

Although this doesn't directly answer the OP's question (since they asked about v2.9.1), it will hopefully help anyone who ends up here because they (like me the first time round) missed that line in the doc.

-- Tsubashi
Source: StackOverflow