ARTIFACTORY: Step-by-Step Installation of a Debian Package Using GPG Keys via Artifactory

ARTIFACTORY: Step-by-Step Installation of a Debian Package Using GPG Keys via Artifactory
Products
Frog_Artifactory
Content Type
Installation_Setup
AuthorFullName__c
Ramyashree V
articleNumber
000006799
FirstPublishedDate
2025-12-29T07:57:52Z
lastModifiedDate
2025-12-29
To securely install and manage Debian packages through JFrog Artifactory, GPG keys are used to sign and verify the authenticity of packages. Below are the steps for configuring repositories, generating GPG keys, and uploading them to Artifactory.


1. Create a Debian Repository in Artifactory

Before continuing, verify that a Debian repository has been set up in the Artifactory instance. Both local and virtual Debian repositories must be configured, with support for GPG key–based signing enabled.


2. Generate GPG Keys

Generate a GPG key pair to be used for signing packages.

Generate the Key

Run the following command and follow the prompts:

gpg --full-generate-key

Make note of the passphrase used during key creation.

Export the Keys

Export both the public and private keys:

gpg --armor --export admin@gmail.com > <public-key>

gpg --armor --export-secret-keys admin@gmail.com > <private-key>

Replace admin@gmail.com with the email address used during key generation.


3. Upload GPG Keys to Artifactory

Upload the exported keys to Artifactory to enable package signing.

Steps:
  1. Go to:
    Administration → Security → Keys Management → Add Keys
  2. Choose GPG Keys.
  3. Fill out the details
  4. Click Save.

4. Associate GPG Key with Debian Repositories

The uploaded GPG key must be associated with the Debian local and virtual repositories.

For Local Repository:
  • Go to: Administration → Repositories → Local
  • Select your Debian repository.
  • In the GPG Signing section, choose the uploaded key from the dropdown.
For Virtual Repository:
  • Go to: Administration → Repositories → Virtual
  • Select your Debian virtual repository.
  • Similarly, select the same GPG key from the dropdown.

5. Import Public Key to Debian Client

To ensure the Debian client trusts packages signed by the key, convert and install the public key:

sudo gpg --dearmor -o /usr/share/keyrings/<key-name>.gpg /etc/apt/artifactory-signing-key.pub

Replace <key-name> with the actual name of the generated key.


6. Configure the Client (Debian Machine)

To set up the Debian client (APT) to use the Artifactory Debian repository, add the repository URL to the sources.list file: (follow the set me up instructions)

sudo sh -c "echo 'deb http://<JPD>/artifactory/<repo-name> <DISTRIBUTION> <COMPONENT>' >> /etc/apt/sources.list"

Replace <DISTRIBUTION> and <COMPONENT> with the respective Debian distribution (e.g., noble) and component (e.g., main).


7. Add Trusted Keyring to Sources List

Update the entry in your sources.list file to include the keyring for trusted GPG signatures:

deb [signed-by=/usr/share/keyrings/<key-name>.gpg] http://<JPD>/artifactory/<repo-name><DISTRIBUTION> <COMPONENT>


8. Update Package Lists

Once the repository is added to the sources list, update the package index:

sudo apt-get update

After all configurations are completed:
  • Install any package
  • Artifactory will now sign the metadata.
  • You will be able to see the signed InRelease file in the repository.