To enable npm Audit Signatures on a repository:
Generate a ECDSA key pair using the following command:
gpg --expert --full-generate-key
Export the public and private keys using the following commands:
gpg --output private.pgp --armor --export-secret-key <KEY_ID> gpg --output public.pgp --armor --export <KEY_ID>
Note
Replace the placeholder with the key ID that you can find in the output of the key generation command.
In the JFrog Platform WebUI, go to Administration > Platform Security > Keys Management
Click + Add Keys, and select ECDSA Keys from the drop-down menu
Enter a name and alias for the key you created, and upload the public and private keys. When you are done, click Add ECDSA Key
Go to the repository page on the JFrog Platform WebUI, and scroll down to the ECDSA Key Pair section: under Primary Key Name, select the name of the key you just created from the drop down menu.
Click Save - the repository will automatically reindex and sign all the packages with the keys you provided.