Verify the Aembit Edge Helm chart signature

Aembit provides a Helm chart that simplifies the deployment of Aembit Edge Components in your Kubernetes cluster. As a best practice, you should verify the Helm chart before deploying it to verify its integrity and authenticity.

This page describes how to verify the Aembit Helm chart you’ll use in your Kubernetes cluster. You can verify the Helm chart using the following methods:

Helm CLI
Terraform
manually

Prerequisites

To verify the Aembit Edge Helm chart, you must have the following:

kubctl installed
helm installed
(Optional) gpg (GNU Privacy Guard) installed
Expand to install gpg
To install gpg, select a tab for your OS and follow the instructions:
Debian:
Terminal window
apt install gnupg
RHEL:
Terminal window
yum install gnupg2
Terminal window
brew install gnupg
PowerShell:
Terminal window
winget install GnuPG.GnuPG
Chocolatey:
Terminal window
choco install gpg4win
Or, if you’re using WSL, follow the Linux/WSL tab’s instructions.
A Kubernetes cluster that’s running and accessible from your local machine
Your Kubernetes context set to the cluster where you want to deploy Aembit Edge Components
Expand to verify and set Kubernetes context
To verify that you have set your current context in Kubernetes correctly:
Terminal window
```
kubectl config current-context
```
If the context output is incorrect, set it correctly by running:
Terminal window
```
kubectl config use-context <your-cluster-context>
```

Verify using the Helm CLI

The following steps describe how to verify the Aembit Edge Helm chart using Helm with signature verification. This method provides explicit verification of the chart’s signature and ensures that the chart is valid before installation.

Add or update the Aembit Helm repository to your local Helm configuration by running:

# Add the Aembit Helm repository
helm repo add aembit https://helm.aembit.io

# Update the Helm repository to ensure you have the latest charts
helm repo update aembit

Import the Aembit Edge Helm PGP public keys from Aembit’s Keybase repository into your GPG keyring:
Terminal window
```
curl "https://keybase.io/aembit/pgp_keys.asc" | gpg --import
```
Export your GPG keyring to a format compatible with Helm:
Terminal window
```
gpg --export --output ~/.gnupg/pubring.gpg
```
You must export your keyring because Helm requires the older GPG keyring format (.gpg) and cannot use the newer keyring format (.kbx) that modern GPG uses by default.
Choose your verification method:
- Verify Dry-run
- Verify Install
Terminal window
helm install aembit aembit/aembit \ --verify \ --keyring ~/.gnupg/pubring.gpg \ --dry-run \ --set tenant=<tenantId>,agentController.id=<agentControllerId>
Terminal window
helm install aembit aembit/aembit \ --verify \ --keyring ~/.gnupg/pubring.gpg \ --set tenant=<tenantId>,agentController.id=<agentControllerId>
Review the output:
- Verify Dry-run
- Verify Install
When using --verify with --dry-run, successful verification happens silently. You’ll see the following dry-run output if the verification is successful:
Terminal window
NAME: aembit LAST DEPLOYED: Wed Jul 9 12:54:13 2025 NAMESPACE: default STATUS: pending-install REVISION: 1 TEST SUITE: None HOOKS: MANIFEST: --- # Source: aembit/templates/serviceaccount.yaml # [YAML output continues...]
When using --verify with actual installation, successful verification happens silently. You’ll see the following installation output if the verification is successful:
Terminal window
NAME: aembit LAST DEPLOYED: Wed Jul 9 12:54:13 2025 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: # [Installation notes and instructions continue...]
If verification fails for either method, you’ll see an error message like:
Terminal window
```
Error: failed to verify chart signature
```

Verify using Terraform

You can also verify the Aembit Edge Helm chart using Terraform, ensuring that the installation occurs only if the chart is authentic and valid.

Prerequisites

Complete steps 2-3 from the Helm CLI section to import the Aembit key and export your keyring.

Terraform configuration

You must add the following options to your Terraform configuration to enable verification of the Helm chart signature:

verify enables the verification process
keyring specifies the path to the GPG keyring that contains the public key used to sign the Helm chart

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }

  verify = true # Enable verification of the Helm chart signature
  keyring = "~/.gnupg/pubring.gpg" # Path to the GPG keyring
}

resource "helm_release" "aembit_edge" {
  name       = "aembit"
  repository = "https://helm.aembit.io"
  chart      = "aembit"

  set {
    name  = "tenant"
    value = var.tenant_id
  }

  set {
    name  = "agentController.id"
    value = var.agent_controller_id
  }
}

If the verification is successful, you’ll get output indicating that the plan was successful and that Terraform won’t make any changes to your cluster. If there are any issues with the Helm chart or its signature, Terraform reports an error.

Verify manually

To manually verify the signature of the Aembit Edge Helm chart, follow these steps:

Move to a directory you want to save the Helm chart package in, for example:
Terminal window
```
mkdir aembit-helmChart && cd aembit-helmChart
```

Add or update the Aembit Helm repository to your local Helm configuration by running:

# Add the Aembit Helm repository
helm repo add aembit https://helm.aembit.io

# Update the Helm repository to ensure you have the latest charts
helm repo update aembit

Download the Aembit Edge Helm chart package and its signature from the Aembit Helm repository. Replace <helmChartVersion> with the version of the Helm chart you want to download:
Terminal window
```
wget https://helm.aembit.io/aembit-<helmChartVersion>.tgz
wget https://helm.aembit.io/aembit-<helmChartVersion>.tgz.prov
```
Verify the chart signature using the following command:
Terminal window
```
helm verify aembit-<helmChartVersion>.tgz
```
Replace <helmChartVersion> with the actual version of the chart you downloaded.

If the verification is successful, you’ll get the following output:

Signed by: Aembit, Inc. <keybase@aembit.io>
Using Key With Fingerprint: EA3D8D2FDAC6BD8137163D00D655E64729BC67D7
Chart Hash Verified: sha256:48db111f899405e219d3f8cc05abed644cfa10617c558fa5021be1def592c05c

If there are any issues with the signature, you’ll receive an error message.

Troubleshooting

If you encounter issues during the verification process, here are some common errors and their solutions:

Key Not Found

Error: keyring "~/.gnupg/pubring.gpg" does not exist

Solution: Ensure you’ve exported the keyring using step 3 in the Helm CLI section.

Signature verification failed

Error: failed to verify chart signature

Possible causes:

Wrong public key imported
Chart wasn’t signed with expected key
Corrupted download

Verify you have the correct key:

gpg --list-keys aembit
gpg --fingerprint EA3D8D2FDAC6BD8137163D00D655E64729BC67D7

Permission issues

Error: permission denied accessing keyring

Solution: Check file permissions on your GPG directory:

ls -l ~/.gnupg

Ensure your user has read access to the pubring.gpg file. If not, adjust permissions:

chmod 700 ~/.gnupg
chmod 600 ~/.gnupg/*

Chart repository issues

If you get repository-related errors:

# Remove and re-add the repository
helm repo remove aembit
helm repo add aembit https://helm.aembit.io
helm repo update