Configure Signature Verification

JFrog Artifactory Documentation
Products
JFrog Artifactory
Content Type
User Guide

You can configure the opkg client to verify signatures created with your private GPG key pair.

Prerequisites:

  • Generate and upload GPG keys to Artifactory. For more information, see Manage Signing Keys.Manage Signing Keys

  • Make sure gnupg is installed.

To configure signature verification:

  1. Import your GPG keys to the opkg keychain:

    • 0.3 legacy versions:

      opkg-key add key.pub

    • 0.4 versions and newer:

      mkdir -p /etc/opkg/keys
opkg-key add key.pub

  2. Run the following command to add the check_signature option to your opkg.conf file:

    echo 'option check_signature true' >> /etc/opkg/opkg.conf

Note

If resolving fails with this error:

"opkg_verify_gpg_signature: No sufficiently trusted public keys found."
"pkg_src_verify: Signature verification failed for <repoName>."

The trust level of the key.pub may not be high enough. Upgrade the trust level.