jenkins-x/jx

jx upgrade cli (and plugins) should verify the artifact before installing

ankitm123 opened this issue · 3 comments

Now that we are signing the artifacts, we should make jx upgrade cli verify the artifact before upgrading the version. This can be done using cosign verify-blob. Normally the way to verify blobs is this:

cosign verify-blob --key https://raw.githubusercontent.com/jenkins-x/jx/main/jx.pub --signature jx-linux-amd64.tar.gz.sig jx-linux-amd64.tar.gz

jx upgrade cli will do all this transparently.

Eventually we want to do this for all the plugins (they are not signed yet) and only install verified plugins in user's workstation,

For example, this does not verify the binary before installing:

jx project --help
Installing plugin jx-project version 0.2.54 for command jx project from https://github.com/jenkins-x-plugins/jx-project/releases/download/v0.2.54/jx-project-linux-amd64.tar.gz into /home/ankitm123/.jx3/plugins/bin
Deleted old plugin versions: [jx-project-0.0.153 jx-project-0.0.167 jx-project-0.0.178 jx-project-0.0.202 jx-project-0.2.11 jx-project-0.2.17 jx-project-0.2.2 jx-project-0.2.22 jx-project-0.2.23 jx-project-0.2.30 jx-project-0.2.4]

@osamamagdy and @ankitm123 to look at this.

Is this up for grabs? @ankitm123