GPG Signing

JFrog Distribution Documentation

Products
JFrog Distribution
Content Type
User Guide
ft:sourceType
Paligo

Subscription Information

This feature is supported with the Enterprise+ license.

JFrog Distribution secures Release Bundle delivery using a GPG key pair (private and public). The created Release Bundle that's distributed to an Artifactory Edge Node is signed with a private GPG key. The Artifactory Edge Node verifies the Release Bundle signature with a public GPG key.

Signing Release Bundles

GPG keys need to be at least 2K.

The process for applying GPG keys is:

  1. Generate a GPG key.

  2. Upload the GPG key using the REST API to the following locations:

    • Distribution Service (private and public)

    • Source Artifactory and Edge nodes (public key only)