You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The whole point of a security product like Vault validating the sha256sum of the binary is to ensure that it has not been modified. If you just read the sha256sum from the filesystem as you "register" the plugin, it will of course match, but you haven't validated anything. At a minimum, it would be a good idea to note that the procedure is for proof of concept or lab testing, and should not be used in production or anywhere security matters.
I would suggest that the binary itself should have a published SHA256sum, that is GPG signed, so that we can ensure that the binary is unmodified. I do thank you for at least publishing the list of sums for the zip files, which allows us to validate the zip file, but as they are not signed, they could be modified at the same time the binaries are being compromised.
Thanks,
Tommy
The text was updated successfully, but these errors were encountered:
@TJM HashiCorp is planning to add a registry for Vault in the not-too-far future. It may/should work similarly as the Terraform Provider registry and the binary will be signed. I don't have any ETA though so in the meantime your suggestion is great.
We will update the documentation with emphasis on its non-production aspect.
It is my opinion that the following step in the README.md is risky:
The whole point of a security product like Vault validating the sha256sum of the binary is to ensure that it has not been modified. If you just read the sha256sum from the filesystem as you "register" the plugin, it will of course match, but you haven't validated anything. At a minimum, it would be a good idea to note that the procedure is for proof of concept or lab testing, and should not be used in production or anywhere security matters.
I would suggest that the binary itself should have a published SHA256sum, that is GPG signed, so that we can ensure that the binary is unmodified. I do thank you for at least publishing the list of sums for the zip files, which allows us to validate the zip file, but as they are not signed, they could be modified at the same time the binaries are being compromised.
Thanks,
Tommy
The text was updated successfully, but these errors were encountered: