DISTRIBUTION: How to sign a release bundle with a unique/non-default GPG key using REST API

DISTRIBUTION: How to sign a release bundle with a unique/non-default GPG key using REST API
AuthorFullName__c
Janardhana JL
articleNumber
000006105
ft:sourceType
Salesforce
FirstPublishedDate
2024-05-23T11:47:01Z
lastModifiedDate
2024-05-23
VersionNumber
1

JFrog Distribution ensures secure delivery of Release Bundles using a GPG key pair consisting of a private and public key. When a Release Bundle is created and distributed to an Artifactory Edge Node, it is signed using the private GPG key. Subsequently, the Artifactory Edge Node verifies the signature of the Release Bundle using the corresponding public GPG key.  The Release Bundle is signed using a private GPG key. This step is crucial for ensuring that the content has not been tampered with from the time of creation to delivery.

In the JFrog Platform, it's possible to include multiple GPG keys for signing and distribution. Below, you'll discover the process for signing the release bundle and distributing it using a non-default GPG key and passphrase.

1. Create and sign the release bundle v1 version. Within the JSON file, we have the option to include the non-default signing key along with its alias using the "signing_key_alias" parameter. The corresponding passphrase can be provided in the REST API call using the X-GPG-PASSPHRASE header. 

curl -u admin:"<password>" -H "Accept: application/json" -H "Content-Type: application/json"  -H "X-GPG-PASSPHRASE: <passphrase>" -X POST "http://<artifactory-dns>/distribution/api/v1/release_bundle" -T createbundle.json

Sample json file: create bundle.json 
{
        "name": "test",
        "version": "1.0.0",
        "dry_run": false,
        "signing_key_alias": "nondefault-key",
        "sign_immediately": true,
        "storing_repository": "release-bundles",
        "description": "",
        "spec": {
            "queries": [
                {
                    "aql": "items.find({\"$and\":[{\"$or\":[{\"repo\":{\"$eq\":\"example-repo-local\"}}]}]}).include(\"sha256\",\"updated\",\"modified_by\",\"created\",\"id\",\"original_md5\",\"depth\",\"actual_sha1\",\"property.value\",\"modified\",\"property.key\",\"actual_md5\",\"created_by\",\"type\",\"name\",\"repo\",\"original_sha1\",\"size\",\"path\")",

                    "release_bundle_query_fields": {
                        "repositories": [
                            "example-repo-local"
                        ],
                        "included_artifacts_patterns": [],
                        "excluded_artifacts_patterns": [],
                        "included_artifacts_path_patterns": [],
                        "excluded_artifacts_path_patterns": [],
                        "search_properties_logical_operator": "$or",
                        "included_logical_operator": "$or",
                        "included_logical_path_operator": "$or"
                    },
                    "query_name": "query-1",
                    "mappings": [],
                    "added_props": [],
                    "exclude_props_patterns": []
                }
            ]
        }
    }


2. Distribute release bundle v1 version. 
curl -u admin:"<password>" -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"auto_create_missing_repositories": "true", "distribution_rules": [{ "site_name": "<edge>", "country_codes": [], "groups": []}]}' "http://<artifactory-dns>/distribution/api/v1/distribution/<bundle-name>/<version>;"