Is your feature request related to a problem? Please describe.
We need to be certain the jfrog-cli executable is free of supply chain attacks. While we are aware there are ways to do this with package manager approaches (apt-get, dnf), there also needs to be a way to validate authenticity of the jfrog-cli binary when it is downloaded via curl. This could be done by offering .sig files for the binaries, or by using cosign. In fact, jfrog seems to have a system for this for many of their binaries, but not for the jfrog-cli?
Describe the solution you'd like to see
.sig files for gpg verification of the curl downloaded jfrog-cli binaries, or sign using cosign.
Describe alternatives you've considered
We are aware checking sha256 is possible, but that is subject to trust on first use attacks (the sha256 might have been modified in addition to the binary.
Is your feature request related to a problem? Please describe.
We need to be certain the jfrog-cli executable is free of supply chain attacks. While we are aware there are ways to do this with package manager approaches (apt-get, dnf), there also needs to be a way to validate authenticity of the jfrog-cli binary when it is downloaded via curl. This could be done by offering .sig files for the binaries, or by using cosign. In fact, jfrog seems to have a system for this for many of their binaries, but not for the jfrog-cli?
Describe the solution you'd like to see
.sig files for gpg verification of the curl downloaded jfrog-cli binaries, or sign using cosign.
Describe alternatives you've considered
We are aware checking sha256 is possible, but that is subject to trust on first use attacks (the sha256 might have been modified in addition to the binary.