-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verification Steps: Signature on GPG Key? #111
Comments
@TJM If my understanding of GPG is correct (and I'm no expert), I need to sign the public key using |
I am not sure, I was thinking it would need to be signed by some "trusted" party. However, I am not sure if there are any trusted third parties in GPG. Or, maybe I have to sign it locally stating that I trust your signature. I have to assume a "Self Signed" key is probably trusted about the same as a self signed SSL certificate :) |
@TJM You are right. One of the other option I considered a while ago is to upload the public key to a key server such as https://keys.openpgp.org/ or https://www.sigstore.dev/ If we go with sigstore then we can also leverage Cosign in our release toolchain. |
I will also talk to our security guys later this week or next. I would have thought you could have tied into some established JFrog process that signs code? :) |
@TJM Yes, in theory 😄 The difference here is that this project releases binary whereas other JFrog OSS projects only publishes source code. So my hunch is that this is an outlier and there isn't an established process for us to follow. I'll check nonetheless. |
@TJM We need to balance the work needs for this vs when HashiCorp releases the registry for Vault. Once that happens, this whole signing problem more or less disappears. |
The best thing I can think of would be for me to commit your public key to our IAC repo, that way supposedly I trust it (lsign), and I can validate the signature against my local copy of the key. I'd still like to know if there is a way to have a trusted third party, maybe multiple to validate the key, but it appears GPG is pretty de-centralized :) |
Apologies for adding to your thread, but I am following also the steps for versions 1.5.0 & 1.6.0 and can't verify the signature either, albeit my case seems even more serious:
Have the steps to verify the signature changed? |
@bramaq The binary files are not signed currently using the public key. Instead it's the checksum file (e.g. gpg --verify artifactory-secrets-plugin_1.6.0.checksums.txt.sig artifactory-secrets-plugin_1.6.0.checksums.txt You should get this as output: gpg: Signature made Thu Apr 18 15:34:09 2024 PDT
gpg: using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD
gpg: Good signature from "Alex Hung <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: ED4F F1CD 6C23 18B4 70A3 3A16 59FE 1520 A4A3 55CD This PR is about removing the WARNING since my public key is not uploaded and verified by any public key server. |
Describe the bug
Would it be possible to get rid of the WARNING about the GPG Key?
I am not even really sure what that would entail.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
We may need to modify the steps or at least the "expected output" to look more favorable.
Additional context
Based on the output in the
README.md
, you produced this on the same system that created the key, or at least has had some additional commands run to fully trust the key.The text was updated successfully, but these errors were encountered: