Verify Binary Checksums

JFrog Integrations Documentation

Content Type

Checksums for each binary are provided in the artifactory-secrets-plugin_<version>_checksums.txt file. It is signed with the public key vault-plugin-secrets-artifactory-public-key.asc which creates the signature file artifactory-secrets-plugin_<version>_checksums.txt.sig.

If the public key is not in your GPG keychain, import the key.

gpg --import artifactory-secrets-plugin-public-key.asc

Verify the checksums file signature.

gpg --verify artifactory-secrets-plugin_<version>_checksums.txt.sig

You should see something like the following example.

gpg: assuming signed data in 'artifactory-secrets-plugin_0.2.17_checksums.txt'
gpg: Signature made Mon May  8 14:22:12 2023 PDT
gpg:                using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD
gpg: Good signature from "Alex Hung <>" [ultimate]

With the checksums file verified, you can now safely use the SHA256 checkum inside as part of the Vault plugin registration (vs calling sha256sum).