Verification Steps: Signature on GPG Key?

[TJM]

Describe the bug
Would it be possible to get rid of the WARNING about the GPG Key?

gpg: WARNING: This key is not certified with a trusted signature!

I am not even really sure what that would entail.

To Reproduce
Steps to reproduce the behavior:

• Follow the GPG Verification on a different system (or maybe inside a docker container) ... or just move aside the .gpg dir for the test? :)

$ gpg --import vault-plugin-secrets-artifactory-public-key.asc
$ curl -JLO https://github.com/jfrog/vault-plugin-secrets-artifactory/releases/download/v1.0.0/artifactory-secrets-plugin_1.0.0.checksums.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1582  100  1582    0     0   2912      0 --:--:-- --:--:-- --:--:--     0
$ curl -JLO https://github.com/jfrog/vault-plugin-secrets-artifactory/releases/download/v1.0.0/artifactory-secrets-plugin_1.0.0.checksums.txt.sig
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   566  100   566    0     0    924      0 --:--:-- --:--:-- --:--:--   924

$ gpg --verify artifactory-secrets-plugin_1.0.0.checksums.txt.sig 
gpg: assuming signed data in 'artifactory-secrets-plugin_1.0.0.checksums.txt'
gpg: Signature made Mon May 15 12:30:40 2023 MDT
gpg:                using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD
gpg: Good signature from "Alex Hung <alexh@jfrog.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ED4F F1CD 6C23 18B4 70A3  3A16 59FE 1520 A4A3 55CD

• The script succeeds (exit 0) but the "WARNING" was brought up for discussion by our security folks.

Expected behavior

We may need to modify the steps or at least the "expected output" to look more favorable.

Additional context

Based on the output in the README.md, you produced this on the same system that created the key, or at least has had some additional commands run to fully trust the key.

[alexhung]

@TJM If my understanding of GPG is correct (and I'm no expert), I need to sign the public key using gpg --lsign-key.

[TJM]

I am not sure, I was thinking it would need to be signed by some "trusted" party. However, I am not sure if there are any trusted third parties in GPG. Or, maybe I have to sign it locally stating that I trust your signature. I have to assume a "Self Signed" key is probably trusted about the same as a self signed SSL certificate :)

[alexhung]

@TJM You are right. One of the other option I considered a while ago is to upload the public key to a key server such as https://keys.openpgp.org/ or https://www.sigstore.dev/

If we go with sigstore then we can also leverage Cosign in our release toolchain.

[TJM]

I will also talk to our security guys later this week or next. I would have thought you could have tied into some established JFrog process that signs code? :)

[alexhung]

@TJM Yes, in theory 😄

The difference here is that this project releases binary whereas other JFrog OSS projects only publishes source code. So my hunch is that this is an outlier and there isn't an established process for us to follow. I'll check nonetheless.

[alexhung]

@TJM We need to balance the work needs for this vs when HashiCorp releases the registry for Vault. Once that happens, this whole signing problem more or less disappears.

[TJM]

The best thing I can think of would be for me to commit your public key to our IAC repo, that way supposedly I trust it (lsign), and I can validate the signature against my local copy of the key. I'd still like to know if there is a way to have a trusted third party, maybe multiple to validate the key, but it appears GPG is pretty de-centralized :)

[bramaq]

Hi @alexhung, @TJM,

Apologies for adding to your thread, but I am following also the steps for versions 1.5.0 & 1.6.0 and can't verify the signature either, albeit my case seems even more serious:

> gpg --import vault-plugin-secrets-artifactory-public-key.asc
gpg: key 59FE1520A4A355CD: "Alex Hung <alexh@jfrog.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

> gpg --verify artifactory-secrets-plugin_1.6.0.checksums.txt.sig artifactory-secrets-plugin_1.6.0_linux_arm64
gpg: Signature made Thu 18 Apr 2024 10:34:09 PM UTC
gpg:                using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD
gpg: BAD signature from "Alex Hung <alexh@jfrog.com>" [unknown]

Have the steps to verify the signature changed?

[alexhung]

@bramaq The binary files are not signed currently using the public key. Instead it's the checksum file (e.g. artifactory-secrets-plugin_1.6.0.checksums.txt) that is signed. So to verify the checksum file, you run:

gpg --verify artifactory-secrets-plugin_1.6.0.checksums.txt.sig artifactory-secrets-plugin_1.6.0.checksums.txt

You should get this as output:

gpg: Signature made Thu Apr 18 15:34:09 2024 PDT
gpg:                using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD
gpg: Good signature from "Alex Hung <alexh@jfrog.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ED4F F1CD 6C23 18B4 70A3  3A16 59FE 1520 A4A3 55CD

This PR is about removing the WARNING since my public key is not uploaded and verified by any public key server.