jx upgrade cli (and plugins) should verify the artifact before installing
ankitm123 opened this issue · 3 comments
ankitm123 commented
Now that we are signing the artifacts, we should make jx upgrade cli verify the artifact before upgrading the version. This can be done using cosign verify-blob. Normally the way to verify blobs is this:
cosign verify-blob --key https://raw.githubusercontent.com/jenkins-x/jx/main/jx.pub --signature jx-linux-amd64.tar.gz.sig jx-linux-amd64.tar.gz
jx upgrade cli will do all this transparently.
Eventually we want to do this for all the plugins (they are not signed yet) and only install verified plugins in user's workstation,
For example, this does not verify the binary before installing:
jx project --help
Installing plugin jx-project version 0.2.54 for command jx project from https://github.com/jenkins-x-plugins/jx-project/releases/download/v0.2.54/jx-project-linux-amd64.tar.gz into /home/ankitm123/.jx3/plugins/bin
Deleted old plugin versions: [jx-project-0.0.153 jx-project-0.0.167 jx-project-0.0.178 jx-project-0.0.202 jx-project-0.2.11 jx-project-0.2.17 jx-project-0.2.2 jx-project-0.2.22 jx-project-0.2.23 jx-project-0.2.30 jx-project-0.2.4]
ankitm123 commented
@osamamagdy and @ankitm123 to look at this.
ba11b0y commented
Is this up for grabs? @ankitm123