Create Signing Keys for Release Bundles (v2)

JFrog Artifactory Documentation

Products
JFrog Artifactory
Content Type
User Guide
ft:sourceType
Paligo

When working with Release Bundles v2, you can take the same GPG signing key added to Artifactory to create and promote the Release Bundle and use it in Distribution to distribute the Release Bundle (Enterprise+ only).

In the current version, the following GPG algorithms are supported:

  • GPG with RSA (key size >= 2048 bits)

  • GPG with ECC (based on NIST P-384)

Important

Starting with Artifactory 7.101.2, Artifactory will create and use a default GPG key (called default-gpg-key) if signing keys are not specified during Release Bundle v2 creation.

To generate and upload signing keys for Artifactory (used to create and promote Release Bundles), follow the instructions described in Generate GPG Keys and Upload GPG Keys. Examples are provided below.Generate GPG KeysUpload GPG Keys

Generating GPG with RSA key (key size = 2048 bits)

# Generate GPG key pair with a passphrase:
#
gpg --full-generate-key

# Please select what kind of key you want:
#
# >  Select "(1) RSA and RSA" by entering "1".

# RSA keys may be between 1024 and 4096 bits long.
# What keysize do you want? (3072)
#
# >  Enter "2048"

# Please specify how long the key should be valid.
#
# >  Enter "0"

# Is this correct? (y/N)
#
# >  Enter "y"

# GnuPG needs to construct a user ID to identify your key.
#
# Real name:
#
# >  Enter "{your-key-id}"
#
# Email address:
#
# >  Enter "{your-email}"
#
# Comment:
#
# >  Enter "{your-comment}"
#
# Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
#
# >  Enter "o"

Note

You may specify a passphrase to use together with the signing keys.

Exporting GPG keys

# Export the private key with the specified id to a file:
#
gpg --output {private-key-output-file} --armor --export-secret-keys {your-key-id}
 
# Export the public key with the specified id to a file:
#
gpg --output {public-key-output-file} --armor --export {your-key-id}