Enable ECDSA Signing in Local Repositories

JFrog Artifactory Documentation

JFrog Artifactory
Content Type
User Guide

To enable npm Audit Signatures on a repository:

  1. Generate a ECDSA key pair using the following command:

    gpg --expert --full-generate-key
  2. Export the public and private keys using the following commands:

    gpg --output private.pgp --armor --export-secret-key <KEY_ID>
    gpg --output public.pgp --armor --export <KEY_ID>


    Replace the placeholder with the key ID that you can find in the output of the key generation command.

  3. In the JFrog Platform WebUI, go to Administration > Platform Security > Keys Management

  4. Click + Add Keys, and select ECDSA Keys from the drop-down menu

  5. Enter a name and alias for the key you created, and upload the public and private keys. When you are done, click Add ECDSA Key

  6. Go to the repository page on the JFrog Platform WebUI, and scroll down to the ECDSA Key Pair section: under Primary Key Name, select the name of the key you just created from the drop down menu.

  7. Click Save - the repository will automatically reindex and sign all the packages with the keys you provided.