Subscription Information
This feature is supported with the Enterprise+ license.
JFrog Distribution secures Release Bundle delivery using a GPG key pair (private and public). The created Release Bundle that's distributed to an Artifactory Edge Node is signed with a private GPG key. The Artifactory Edge Node verifies the Release Bundle signature with a public GPG key.
Signing Release Bundles
GPG keys need to be at least 2K.
The process for applying GPG keys is:
Generate a GPG key.
Upload the GPG key using the REST API to the following locations:
Distribution Service (private and public)
Source Artifactory and Edge nodes (public key only)