Have a question? Want to report an issue? Contact JFrog support

Skip to end of metadata
Go to start of metadata


JFrog Distribution secures release bundle delivery using a GPG Key. The created release bundle that's distributed to an Artifactory Edge Node is signed with this GPG key. The Artifactory Edge Node verifies the Release Bundle signature with a public GPG key.



Page Contents

Generating Keys

The way to generate keys is platform dependent. 

The example below shows how to generate the public and private keys on Linux in GPG version 1.4.5 and up (gpg --help):

Passphrase not supported

When generating keys, make sure NOT to create them with a passphrase. JFrog Distribution does not currently support providing a passphrase when signing a release bundle. 

Generating GPG keys
# Generate the keys
gpg --full-generate-key

# Select RSA 
Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)

# Select the size of the key you may use the default value.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

# Select the validation for the key (0 will not expire)
0 = key does not expire
  = key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) <- Accept the default value by clicking Enter

Key does not expire at all
Is this correct? (y/N) y

# Enter a user ID and email 
Real name: 
Email address: 

# Export the private key with the specified id to a file
gpg --output {private key file name and path} --armor --export-secret-keys {key-id}
# Export the public key with the specified id to a file
gpg --output {public key file name and path} --armor --export {key-id}

Uploading Keys

To create a trust between Distribution, source Artifactory instances, and Artifactory Edge nodes, you will need to deploy the generated GPG key to each service. Upload your signing key using the following:



  • No labels