Generating GPG Keys
Signing Release Bundles
GPG keys need to be at least 2K.
If you are using a Vault see Vault for instructions.
The way to generate private and public GPG keys is platform-dependent.
The following example displays how to generate the keys on Linux requiring GPG version 2.1 and higher.
# Generate the keys gpg --full-generate-key # Select RSA Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) # Select the size of the key you may use the default value. RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) # Select the validation for the key (0 will not expire) 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) <- Accept the default value by clicking Enter Key does not expire at all Is this correct? (y/N) y # Enter a user ID and email Real name: Email address: Comment: # Export the private key with the specified id to a file gpg --output {private key file name and path} --armor --export-secret-keys {key-id} # Export the public key with the specified id to a file gpg --output {public key file name and path} --armor --export {key-id}
Don't forget to click "Save"
Up to version 7.16.6, to ensure that your signing keys are properly stored in Artifactory's database, you will need to click Save even if your signing keys do not have a passphrase.
Signing Release Bundles
If the GPG key pair is created using passphrase, please be sure to copy the passphrase for keepsake as it will be required by JFrog Distribution for signing the Release Bundle.
Uploading and Deploying GPG Keys
To create trust between JFrog Distribution, the source Artifactory and the Artifactory Edge nodes, you need to run the Upload and Propagate GPG Signing Keys for Distribution REST API to upload and deploy the GPG keys. As part of the automated deployment process, the Signing Keys REST API will:
- Deploy the generated GPG Key pair (public and private) for JFrog Distribution. The pair of keys are stored internally in JFrog Distribution.
- Deploy the generated GPG public key on the source Artifactory and Artifactory Edge node. The public key will be stored under Administration | Services | Artifactory | Security | Keys Management | Public Keys on the source Artifactory and Artifactory Edge node.
- If "
propagate_to_edge_nodes
" is set to true, the public key will be automatically propagated to the Edge Node just once.
If you want to manually trigger the deployment of the key to the edges, you can use the following Propagate GPG Signing Keys to an Edge Node REST API command.
Multiple GPG Signing Keys
Starting from version 2.8.1, Distribution now supports managing multiple pairs of GPG signing keys to sign Release Bundles using a set of REST APIs. This enables you to assign a signing key pair per Release Bundle providing you with the granularity to choose which keys to use to sign the Release Bundles instead of using the same key pair to sign all.
Post Upgrade Guidelines
When upgrading from a previous version containing GPG Keys to Distribution version 2.8.1, with the new multiple GPG signing keys feature there are a few considerations:
- The existing GPG signing keys will be preserved and named
default-gpg-key
. - Release Bundles should be assigned with key pairs using the:
- Upload and Propagate GPG Signing Keys for Distribution REST API: To upload the multiple keys using the additional parameters
alias
anddefault
. - Sign Release Bundle Version: To sign the Release Bundle using the additional parameter
signing_key_alias
.
- Upload and Propagate GPG Signing Keys for Distribution REST API: To upload the multiple keys using the additional parameters
- For each of the key pairs, you need to provide an Alias (mandatory). If an alias is not provided, the name generated consists of GPG and timestamp.
This feature is supported through REST API, the following are the new REST APIs in addition to the existing ones:
Manually Deploying GPG Keys to Edge Nodes
For additional Artifactory Edge nodes that have been added after the initial Distribution GPG deployment process, you need to run the Propagate GPG Signing Keys to an Edge Node REST API command.