cloudfoundry / cli-plugin-repo Goto Github PK

We’re finding government users are unable to use unsigned Windows binaries on locked-down laptops. When a binary is signed, it’s easier for admins in similarly locked-down environments to whitelist either by individual signature or by publisher.

The CF CLI itself is signed, but the plugins generally aren’t. I'd like to see instructions for signing Windows binaries added to the section of the docs about cross-compiling binaries.

For reference, here's how the CLI does it. Reference this Slack discussion.

Hello, when attempting to run the following command-

cf install-plugin cfdev

the following error pops-

$ cf install-plugin cfdev
Searching CF-Community for plugin cfdev...
Plugin cfdev 0.0.18 found in: CF-Community
Attention: Plugins are binaries written by potentially untrusted authors.
Install and use plugins at your own risk.
Do you want to install the plugin cfdev? [yN]: y
Starting download of plugin binary from repository CF-Community...
Get "https://d3p1cc0zb2wjno.cloudfront.net/cfdev/cfdev-v0.0.18-rc.36-darwin": dial tcp: lookup d3p1cc0zb2wjno.cloudfront.net: no such host
FAILED

Test test test!

Re https://github.com/cloudfoundry-incubator/cli-plugin-repo/blob/master/README.md#sign-windows-binaries

How do I generate/buy/etc the certificates required for signing CLI plugins? Or can I use the CFF certs?

Proposal to add and recommend a new platform entry option for the darwin OS with the arm64 architecture.

I’m trying to submit my plugin into CF plugins repository but I’m having trouble with the instructions specifically the repo-index.yml and the binaries. I’m unsure how to produce a binary with a url and checksum as well as how to even cross-compile it. Here is a link to my plugin https://github.com/ezra-lieblich/safe-scale https://github.com/ezra-lieblich/safe-scale. I was wondering if maybe I was missing some folder or file that would help produce binaries.

Now that SHA 1 collisions have been reported, SHA 256 is preferable.

Hey I'm wondering what's the best way to debug plugin? I can debug GO locally but have no idea to do that with plugin? Cloud you shed some light on this?

Thanks
David

I see this PR approved but still not available in the catalog.

#374

Any update when that will be listed?

cf version 6.33.1+c77e55743.2017-12-15 on a unix (mac) machine

While developing a plugin - I noticed during a plugin uninstall the plugin will actually run before uninstalling. I tried this against other established plugins and found the same result.

This doesn't seem like a wanted result for the uninstall process.

Let me know if you need any more details.

Hello,

it seems the information on https://plugins.cloudfoundry.org/ does not reflect https://github.com/cloudfoundry/cli-plugin-repo/commits/main/

E.g. metric-registrar v.1.3.1 - but it should be already 1.4.3.
For several other plugins too - in fact all entries on current plugins.cloudfoundry.org page are older than year 2022.

You can even verify with web archive: https://web.archive.org/web/20231118165550/https://plugins.cloudfoundry.org/

Is there anything wrong?

Thanks.

to support multiple developers on single plugin

This fails on master https://travis-ci.org/cloudfoundry-incubator/cli-plugin-repo/builds/286081920.

I presume that the binary has been modified since the checksum was computed.

Currently #453 updated to 1.0.24 the spring-cloud-services-cli-plugin but when we install it from the cf CLI it continues to indicate 1.0.23. Maybe because that line wasn't updated: https://github.com/cloudfoundry/cli-plugin-repo/blame/main/repo-index.yml#L1695

These tests need to be tested!

we may need to allow the user to to able to select and install different versions of the plugin as the user may interact with different cloud environments, and sometimes we can not guarentee the backward compatibility. This can be done by having multiple plugin entries for different versions in repo-index.yml. But a better way might be having one entry for the plugin, and multiple sub-entries for differetn versions

We can force only one version can be installed to avoid command conflict.

To enable this, there will be corresponding changes on the cf cli side too. E.g

cf install-plugin PLUGIN-NAME or LOCAL-PATH/TO/PLUGIN [-r REPO_NAME] [-v VERSION]

Hello, I get the error
Invalid json data from 'CF-Community' - invalid character '<' looking for beginning of value
when I try to list community plugins.

Steps to reproduce:

$ cf -v
cf version 8.7.4+db5d612.2023-10-20

$ cf add-plugin-repo CF-Community https://plugins.cloudfoundry.org
https://plugins.cloudfoundry.org added as CF-Community

$ cf list-plugin-repos
OK

Repo Name      URL
CF-Community   https://plugins.cloudfoundry.org

$ cf repo-plugins
Getting plugins from all repositories ...

Logged errors:
Invalid json data from 'CF-Community' - invalid character '<' looking for beginning of value

When I push the CLIPR app to my Cloud Foundry installation and add it as a plugin repository with "cf add-plugin-repo", only I can see the repo and install the plugins defined in it, other users cannot (even though they can access to the CLIPR app URL itself)

Would it be possible to make CLIPR available to anyone in a CF installation to make the plugins globally accessible to everyone with access to that CF?

As I understand the plugin install process (and I'm pretty new to it), the fact that plugins.cloudfoundry.org is available via plain HTTP (and that the CLI defaults to the non-HTTPS version) introduces a vulnerability that an attacker can cause the cli to install a malicious binary when a user attempts to install a plugin.

Assuming the above is true, in order to protect users, the repo shouldn't be available via plain HTTP when run on the internet (having it as an option for intranet deployments may be reasonable).

The current version of the cf recycle plugin has a major bug which can cause downtimes.
So its not safe to it till this issue is fixed.
As an alternative there seems to be a fork of the plugin which fixes this issue.

Maybe the comcast plugin should be removed and the fork added.

For more details see Comcast/cf-recycle-plugin#3

thx

I visit https://plugins.cloudfoundry.org/ every once in a while, and am always pleasantly surprised at the new plugins I discover. Would be nice to be able to subscribe to new plugins. Thanks!