Verifying Signatures of JFrog Binaries

JFrog Installation & Setup Documentation
Content Type
Installation & Setup
ft:sourceType
Paligo

Starting from January 26, 2025, JFrog has replaced its primary GPG (GNU Privacy Guard) key, and all the JFrog binaries will be signed with a new 4096-bit RSA primary GPG key. Binaries released before this date will continue to be signed with the previous 1024-bit secondary GPG key.

Additionally, the Debian signed repository (artifactory-pro-debs) will now be signed with the new primary GPG key. Therefore, update your repository configuration to use the new key:

wget -O - https://releases.jfrog.io/artifactory/api/v2/repositories/artifactory-pro-debs/keyPairs/primary/public | gpg --dearmor > /etc/apt/trusted.gpg.d/repo-key.gpg

Follow the steps to verify the signatures of JFrog binaries using the new and old GPG keys:

  1. Download the binary file you want to verify and the corresponding signature (.sig) file.

    To download, see JFrog Download Legacy.

  2. Download the primary and secondary Public GPG keys from the JFrog website.

  3. Load the downloaded GPG keys into your GPG client, by running the following commands:

    gpg --import /path/to/primary-key-file
gpg --import /path/to/secondary-key-file

  4. Verify the signature of the binary file, by running the following command:

    gpg --verify /path/to/signature-file.sig /path/to/binary-file

Example

The following is an example of the commands that you can be used to verify the signature of the Distribution binary:

## Download Distribtuion Linux binary
curl -L https://releases.jfrog.io/artifactory/jfrog-distribution/distribution-linux/2.28.1/jfrog-distribution-2.28.1-linux.tar.gz -o jfrog-distribution-2.28.1-linux.tar.gz

## Download Distribtuion Linux binary Signature
curl -L https://releases.jfrog.io/artifactory/jfrog-signed-artifacts/jfrog-distribution/distribution-linux/2.28.1/jfrog-distribution-2.28.1-linux.tar.gz.sig -o jfrog-distribution-2.28.1-linux.tar.gz.sig

## Download Primary GPG Key
curl -L https://releases.jfrog.io/artifactory/api/v2/repositories/artifactory-pro-debs/keyPairs/primary/public -o jfrog_primary_public_key.pub             

## Download Secondary GPG Key
curl -L https://releases.jfrog.io/artifactory/api/v2/repositories/artifactory-pro-debs/keyPairs/secondary/public -o jfrog_secondary_public_key.pub

## Import Keys
gpg --import jfrog_primary_public_key.pub jfrog_secondary_public_key.pub

## Verify binary signature
gpg --verify jfrog-distribution-2.28.1-linux.tar.gz.sig jfrog-distribution-2.28.1-linux.tar.gz