Checksums for each binary are provided in the artifactory-secrets-plugin_<version>_checksums.txt file. It is signed with the public key vault-plugin-secrets-artifactory-public-key.asc which creates the signature file artifactory-secrets-plugin_<version>_checksums.txt.sig.
If the public key is not in your GPG keychain, import the key.
gpg --import artifactory-secrets-plugin-public-key.asc
Verify the checksums file signature.
gpg --verify artifactory-secrets-plugin_<version>_checksums.txt.sig
You should see something like the following example.
gpg: assuming signed data in 'artifactory-secrets-plugin_0.2.17_checksums.txt' gpg: Signature made Mon May 8 14:22:12 2023 PDT gpg: using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD gpg: Good signature from "Alex Hung <alexh@jfrog.com>" [ultimate]
With the checksums file verified, you can now safely use the SHA256 checkum inside as part of the Vault plugin registration (vs calling sha256sum).