Comments (9)
I will also talk to our security guys later this week or next. I would have thought you could have tied into some established JFrog process that signs code? :)
from vault-plugin-secrets-artifactory.
@TJM We need to balance the work needs for this vs when HashiCorp releases the registry for Vault. Once that happens, this whole signing problem more or less disappears.
from vault-plugin-secrets-artifactory.
@TJM If my understanding of GPG is correct (and I'm no expert), I need to sign the public key using gpg --lsign-key
.
from vault-plugin-secrets-artifactory.
I am not sure, I was thinking it would need to be signed by some "trusted" party. However, I am not sure if there are any trusted third parties in GPG. Or, maybe I have to sign it locally stating that I trust your signature. I have to assume a "Self Signed" key is probably trusted about the same as a self signed SSL certificate :)
from vault-plugin-secrets-artifactory.
@TJM You are right. One of the other option I considered a while ago is to upload the public key to a key server such as https://keys.openpgp.org/ or https://www.sigstore.dev/
If we go with sigstore then we can also leverage Cosign in our release toolchain.
from vault-plugin-secrets-artifactory.
@TJM Yes, in theory 😄
The difference here is that this project releases binary whereas other JFrog OSS projects only publishes source code. So my hunch is that this is an outlier and there isn't an established process for us to follow. I'll check nonetheless.
from vault-plugin-secrets-artifactory.
The best thing I can think of would be for me to commit your public key to our IAC repo, that way supposedly I trust it (lsign), and I can validate the signature against my local copy of the key. I'd still like to know if there is a way to have a trusted third party, maybe multiple to validate the key, but it appears GPG is pretty de-centralized :)
from vault-plugin-secrets-artifactory.
Related Issues (20)
- Scoped down tokens from artifactory role HOT 8
- revoke not working HOT 18
- Add Examples (was: filename in release) HOT 7
- dev version suggestion HOT 4
- slashes in admin token username shows wrong username HOT 1
- Allow for "username" parameter on /config/rotate to change token username HOT 1
- make acceptance uses inconsistent env variables HOT 2
- Test Coverage Improvement
- Bump version to 1.0.0 HOT 2
- Renaming repository HOT 4
- GPG Signed *binary* sha256sums in release HOT 5
- Future Makefile ideas
- Embed current version changes (like from the changelog) in release HOT 1
- DELETE artifactory/config/admin should revoke its own access token HOT 7
- Should DELETE artifactory/config/admin cleanup all leased tokens? HOT 3
- BATs acceptance tests? HOT 2
- Add User-Agent string to Artifactory API HTTP request header
- useExpiringTokens should be TypeBool
- test: config/rotate with a bad current token returns the wrong error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-plugin-secrets-artifactory.