Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verification Steps: Signature on GPG Key? #111

Open
TJM opened this issue Jul 3, 2023 · 9 comments
Open

Verification Steps: Signature on GPG Key? #111

TJM opened this issue Jul 3, 2023 · 9 comments
Assignees
Labels
enhancement New feature or request

Comments

@TJM
Copy link
Contributor

TJM commented Jul 3, 2023

Describe the bug
Would it be possible to get rid of the WARNING about the GPG Key?

gpg: WARNING: This key is not certified with a trusted signature!

I am not even really sure what that would entail.

To Reproduce
Steps to reproduce the behavior:

  • Follow the GPG Verification on a different system (or maybe inside a docker container) ... or just move aside the .gpg dir for the test? :)
$ gpg --import vault-plugin-secrets-artifactory-public-key.asc
$ curl -JLO https://github.com/jfrog/vault-plugin-secrets-artifactory/releases/download/v1.0.0/artifactory-secrets-plugin_1.0.0.checksums.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1582  100  1582    0     0   2912      0 --:--:-- --:--:-- --:--:--     0
$ curl -JLO https://github.com/jfrog/vault-plugin-secrets-artifactory/releases/download/v1.0.0/artifactory-secrets-plugin_1.0.0.checksums.txt.sig
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   566  100   566    0     0    924      0 --:--:-- --:--:-- --:--:--   924

$ gpg --verify artifactory-secrets-plugin_1.0.0.checksums.txt.sig 
gpg: assuming signed data in 'artifactory-secrets-plugin_1.0.0.checksums.txt'
gpg: Signature made Mon May 15 12:30:40 2023 MDT
gpg:                using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD
gpg: Good signature from "Alex Hung <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ED4F F1CD 6C23 18B4 70A3  3A16 59FE 1520 A4A3 55CD
  • The script succeeds (exit 0) but the "WARNING" was brought up for discussion by our security folks.

Expected behavior

We may need to modify the steps or at least the "expected output" to look more favorable.

Additional context

Based on the output in the README.md, you produced this on the same system that created the key, or at least has had some additional commands run to fully trust the key.

@TJM TJM added the bug Something isn't working label Jul 3, 2023
@alexhung
Copy link
Member

alexhung commented Jul 3, 2023

@TJM If my understanding of GPG is correct (and I'm no expert), I need to sign the public key using gpg --lsign-key.

@alexhung alexhung added enhancement New feature or request and removed bug Something isn't working labels Jul 3, 2023
@TJM
Copy link
Contributor Author

TJM commented Jul 3, 2023

I am not sure, I was thinking it would need to be signed by some "trusted" party. However, I am not sure if there are any trusted third parties in GPG. Or, maybe I have to sign it locally stating that I trust your signature. I have to assume a "Self Signed" key is probably trusted about the same as a self signed SSL certificate :)

@alexhung
Copy link
Member

alexhung commented Jul 3, 2023

@TJM You are right. One of the other option I considered a while ago is to upload the public key to a key server such as https://keys.openpgp.org/ or https://www.sigstore.dev/

If we go with sigstore then we can also leverage Cosign in our release toolchain.

@TJM
Copy link
Contributor Author

TJM commented Jul 3, 2023

I will also talk to our security guys later this week or next. I would have thought you could have tied into some established JFrog process that signs code? :)

@alexhung
Copy link
Member

alexhung commented Jul 3, 2023

@TJM Yes, in theory 😄

The difference here is that this project releases binary whereas other JFrog OSS projects only publishes source code. So my hunch is that this is an outlier and there isn't an established process for us to follow. I'll check nonetheless.

@alexhung
Copy link
Member

alexhung commented Jul 3, 2023

@TJM We need to balance the work needs for this vs when HashiCorp releases the registry for Vault. Once that happens, this whole signing problem more or less disappears.

@TJM
Copy link
Contributor Author

TJM commented Jul 11, 2023

The best thing I can think of would be for me to commit your public key to our IAC repo, that way supposedly I trust it (lsign), and I can validate the signature against my local copy of the key. I'd still like to know if there is a way to have a trusted third party, maybe multiple to validate the key, but it appears GPG is pretty de-centralized :)

@bramaq
Copy link

bramaq commented May 20, 2024

Hi @alexhung, @TJM,

Apologies for adding to your thread, but I am following also the steps for versions 1.5.0 & 1.6.0 and can't verify the signature either, albeit my case seems even more serious:

> gpg --import vault-plugin-secrets-artifactory-public-key.asc
gpg: key 59FE1520A4A355CD: "Alex Hung <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

> gpg --verify artifactory-secrets-plugin_1.6.0.checksums.txt.sig artifactory-secrets-plugin_1.6.0_linux_arm64
gpg: Signature made Thu 18 Apr 2024 10:34:09 PM UTC
gpg:                using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD
gpg: BAD signature from "Alex Hung <[email protected]>" [unknown]

Have the steps to verify the signature changed?

@alexhung
Copy link
Member

alexhung commented May 20, 2024

@bramaq The binary files are not signed currently using the public key. Instead it's the checksum file (e.g. artifactory-secrets-plugin_1.6.0.checksums.txt) that is signed. So to verify the checksum file, you run:

gpg --verify artifactory-secrets-plugin_1.6.0.checksums.txt.sig artifactory-secrets-plugin_1.6.0.checksums.txt

You should get this as output:

gpg: Signature made Thu Apr 18 15:34:09 2024 PDT
gpg:                using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD
gpg: Good signature from "Alex Hung <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ED4F F1CD 6C23 18B4 70A3  3A16 59FE 1520 A4A3 55CD

This PR is about removing the WARNING since my public key is not uploaded and verified by any public key server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants