Risky documentation (sha256 sum)

[TJM]

It is my opinion that the following step in the README.md is risky:

$ vault write sys/plugins/catalog/secret/artifactory \
    sha_256="$(sha256sum path/to/plugin/directory/artifactory | cut -d " " -f 1)" \
    command="artifactory"

The whole point of a security product like Vault validating the sha256sum of the binary is to ensure that it has not been modified. If you just read the sha256sum from the filesystem as you "register" the plugin, it will of course match, but you haven't validated anything. At a minimum, it would be a good idea to note that the procedure is for proof of concept or lab testing, and should not be used in production or anywhere security matters.

I would suggest that the binary itself should have a published SHA256sum, that is GPG signed, so that we can ensure that the binary is unmodified. I do thank you for at least publishing the list of sums for the zip files, which allows us to validate the zip file, but as they are not signed, they could be modified at the same time the binaries are being compromised.

Thanks,
Tommy

[alexhung]

@TJM HashiCorp is planning to add a registry for Vault in the not-too-far future. It may/should work similarly as the Terraform Provider registry and the binary will be signed. I don't have any ETA though so in the meantime your suggestion is great.

We will update the documentation with emphasis on its non-production aspect.