Alex Hung
Alex Hung
@TJM If my understanding of GPG is correct (and I'm no expert), I need to sign the public key using `gpg --lsign-key`.
@TJM You are right. One of the other option I considered a while ago is to upload the public key to a key server such as https://keys.openpgp.org/ or https://www.sigstore.dev/ If...
@TJM Yes, in theory 😄 The difference here is that this project releases binary whereas other JFrog OSS projects only publishes source code. So my hunch is that this is...
@TJM We need to balance the work needs for this vs when HashiCorp releases the registry for Vault. Once that happens, this whole signing problem more or less disappears.
@bramaq The binary files are not signed currently using the public key. Instead it's the checksum file (e.g. `artifactory-secrets-plugin_1.6.0.checksums.txt`) that is signed. So to verify the checksum file, you run:...
@davidcorrigan714 AFAIK the plugin does not current support what you suggest. This is an excellent feature to add though. We will add this to our backlog.
@davidcorrigan714 Sounds good. When you're ready to contribute, the process is pretty standard so please open a PR and we can work through any comments, feedback, etc.
The way I understand (and assume) is that when Vault server mount/enable a plugin, it starts a new process(?) thus keeping it in memory. I can be wrong though. Overwriting...
True. When I examine a few plugins in the both official and partner plugins, all of the binaries do not contain the version string.
Feel free to open a PR to add your script to the project (in `./scripts` directory?).