Skip to content

Commit

Permalink
Merge pull request #99 from jfrog/GH-81-update-readme
Browse files Browse the repository at this point in the history 
Update README with new checksum verification steps
  • Loading branch information
@alexhung
alexhung authored May 9, 2023
2 parents bd29a99 + 39c9730 commit 125ebbb
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 5 deletions.
9 changes: 7 additions & 2 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## 0.3.0 (May 10, 2023)

IMPROVEMENTS:
- Update release process to publish the binaries directly (without zipping). The checksums file now contain checksums for the binaries (vs the zip file). Issue: [#81](https://github.com/jfrog/artifactory-secrets-plugin/issues/81) PR: [#99](https://github.com/jfrog/artifactory-secrets-plugin/pull/99)

## 0.2.17 (April 25, 2023)

IMPROVEMENTS:
Expand Down Expand Up @@ -57,13 +62,13 @@ IMPROVEMENTS:
- Switch to using POSTing JSON (instead of form) when creating token.
- `expires_in` and `force_revocable` fields are now opt-in.

Issue: [#50](https://github.com/jfrog/artifactory-secrets-plugin/pull/50) PR: [#52](https://github.com/jfrog/artifactory-secrets-plugin/pull/52)
Issue: [#50](https://github.com/jfrog/artifactory-secrets-plugin/issues/50) PR: [#52](https://github.com/jfrog/artifactory-secrets-plugin/pull/52)

## 0.2.10 (March 13, 2023)

BUG FIXES:

- Temporarily disable `force_revocable` due to revoke token failing. Issue: [#50](https://github.com/jfrog/artifactory-secrets-plugin/pull/50) PR: [#51](https://github.com/jfrog/artifactory-secrets-plugin/pull/51)
- Temporarily disable `force_revocable` due to revoke token failing. Issue: [#50](https://github.com/jfrog/artifactory-secrets-plugin/issues/50) PR: [#51](https://github.com/jfrog/artifactory-secrets-plugin/pull/51)

## 0.2.9 (March 13, 2023)

Expand Down
32 changes: 29 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ vault write -f artifactory/config/admin

### Using pre-built releases

You can find pre-built releases of the plugin [here][artreleases]. Once you have downloaded the latest archive corresponding to your target OS, unzip it to retrieve the `artifactory-secrets-plugin` binary file.
You can find pre-built releases of the plugin [here][artreleases] and download the latest binary file corresponding to your target OS.

### From Sources

Expand Down Expand Up @@ -129,17 +129,43 @@ vault plugin register \
secret artifactory
```

* NOTE: you may need to also add arguments to the registration like `-args="-ca-cert ca.pem` or something insecure like: `-args="-tls-skip-verify"` depending on your environment. (see `./path/to/plugins/artifactory -help` for all the options)
> **Note**
> you may need to also add arguments to the registration like `-args="-ca-cert ca.pem` or something insecure like: `-args="-tls-skip-verify"` depending on your environment. (see `./path/to/plugins/artifactory -help` for all the options)
> **Note**
> This inline checksum calculation above is provided for illustration purpose and does not validate your binary. It should **not** be used for production environment. At minimum, you should use the checksum provided as [part of the release](https://github.com/jfrog/artifactory-secrets-plugin/releases).
> This inline checksum calculation above is provided for illustration purpose and does not validate your binary. It should **not** be used for production environment. Instead you should use the checksum provided as [part of the release](https://github.com/jfrog/artifactory-secrets-plugin/releases). See [How to verify binary checksums](#how-to-verify-binary-checksums) section.
You can now enable the Artifactory secrets plugin:

```sh
vault secrets enable artifactory
```

### How to verify binary checksums

Checksums for each binary are provided in the `artifactory-secrets-plugin_<version>_checksums.txt` file. It is signed with the public key `artifactory-secrets-plugin-public-key.asc` which creates the signature file `artifactory-secrets-plugin_<version>_checksums.txt.sig`.

If the public key is not in your GPG keychain, import it:
```sh
gpg --import artifactory-secrets-plugin-public-key.asc
```

Then verify the checksums file signature:

```sh
gpg --verify artifactory-secrets-plugin_<version>_checksums.txt.sig
```

You should see something like the following:
```sh
gpg: assuming signed data in 'artifactory-secrets-plugin_0.2.17_checksums.txt'
gpg: Signature made Mon May 8 14:22:12 2023 PDT
gpg: using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD
gpg: Good signature from "Alex Hung <[email protected]>" [ultimate]
```

With the checksums file verified, you can now safely use the SHA256 checkum inside as part of the Vault plugin registration (vs calling `sha256sum`).

### Artifactory

1. Log into the Artifactory UI as an "admin".
Expand Down

0 comments on commit 125ebbb

Please sign in to comment.