Verification Steps: Signature on GPG Key? about vault-plugin-secrets-artifactory HOT 9 OPEN

I will also talk to our security guys later this week or next. I would have thought you could have tied into some established JFrog process that signs code? :)

from vault-plugin-secrets-artifactory.

@TJM We need to balance the work needs for this vs when HashiCorp releases the registry for Vault. Once that happens, this whole signing problem more or less disappears.

from vault-plugin-secrets-artifactory.

@TJM If my understanding of GPG is correct (and I'm no expert), I need to sign the public key using gpg --lsign-key.

from vault-plugin-secrets-artifactory.

I am not sure, I was thinking it would need to be signed by some "trusted" party. However, I am not sure if there are any trusted third parties in GPG. Or, maybe I have to sign it locally stating that I trust your signature. I have to assume a "Self Signed" key is probably trusted about the same as a self signed SSL certificate :)

from vault-plugin-secrets-artifactory.

@TJM You are right. One of the other option I considered a while ago is to upload the public key to a key server such as https://keys.openpgp.org/ or https://www.sigstore.dev/

If we go with sigstore then we can also leverage Cosign in our release toolchain.

from vault-plugin-secrets-artifactory.

@TJM Yes, in theory 😄

The difference here is that this project releases binary whereas other JFrog OSS projects only publishes source code. So my hunch is that this is an outlier and there isn't an established process for us to follow. I'll check nonetheless.

from vault-plugin-secrets-artifactory.

The best thing I can think of would be for me to commit your public key to our IAC repo, that way supposedly I trust it (lsign), and I can validate the signature against my local copy of the key. I'd still like to know if there is a way to have a trusted third party, maybe multiple to validate the key, but it appears GPG is pretty de-centralized :)

from vault-plugin-secrets-artifactory.