Is your feature request related to a problem? Please describe.
Currently all jf binaries released at this location https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/ can not be verified as a checksum and signature it missing.
In order to mitigate supply chain attacks it is necessary to verify if a downloaded binary matches the checksum of the binary at build time.
This way a bad actor would not be able to change the binary without access to the private key which is used for the signature.
In an event of a compromised instance of releases.jfrog.io it would be possible to upload a malicious binary without any chance to verify the integrity of this binary.
Describe the solution you'd like to see
directly after the binary (for each platform and arch) has been build the checksum of this binary will be created.
all checksums for each binaries will be signed (cosign, GPG, openssl, ...)
binaries, checksums and signature will be published
Using a pre-published public key the signature can be verified and therefore the checksum of the downloaded binary
Describe alternatives you've considered
None, as the creation of checksums and signing need to be done at build time
Is your feature request related to a problem? Please describe. Currently all jf binaries released at this location
https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/
can not be verified as a checksum and signature it missing.In order to mitigate supply chain attacks it is necessary to verify if a downloaded binary matches the checksum of the binary at build time. This way a bad actor would not be able to change the binary without access to the private key which is used for the signature.
In an event of a compromised instance of
releases.jfrog.io
it would be possible to upload a malicious binary without any chance to verify the integrity of this binary.Describe the solution you'd like to see
Describe alternatives you've considered None, as the creation of checksums and signing need to be done at build time