Signing Process for Pipelines

JFrog Pipelines Documentation

JFrog Pipelines
Content Type
User Guide

During the signing process of a pipeline:

  • A run key is generated for every run of the pipeline.

  • During the run, all artifacts (pipeInfo.json) are signed with the private key.

  • The private key is discarded at the end of the run.

  • Metadata for the run that generated the artifact is stored as a tag for the artifact.

  • During the verification stage, a public key is used to verify the signature.

For each run, files containing comprehensive metadata (*.json) and corresponding signature files (*.json.sig) are uploaded to Artifactory. This provides a way to trace the entire path of a pipeline. Now any process that needs to verify can verify this in addition to cross-referencing the pipeInfo.