Cloud customer?
Upgrade in MyJFrog >

Working with an older version?

JFrog Artifactory 6.x
JFrog Xray 2.x
JFrog Mission Control 3.x
JFrog Distribution 1.x
JFrog Enterprise+ (Pre-Platform Release)


JFrog Distribution secures Release Bundle delivery using a GPG keys pair (private and public). The created Release Bundle that's distributed to an Artifactory Edge Node is signed with private GPG key. The Artifactory Edge Node verifies the Release Bundle signature with a public GPG key.

Signing Release Bundles

GPG keys needs to be at least 2K.

The process for applying GPG keys is:

  1. Generating a GPG keys
  2. Uploading the GPG keys using the REST API to the following locations:
    • Distribution Service (private and public)
    • Source Artifactory and Edge nodes (public key only)

Page Contents

Generating GPG Keys

The way to generate private and public GPG keys is platform dependent. 

The example below shows how to generate the keys on Linux in GPG version 2.1 and up (gpg --help):

Generating GPG keys
# Generate the keys
gpg --gen-key

# Select RSA 
Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)

# Select the size of the key you may use the default value.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

# Select the validation for the key (0 will not expire)
0 = key does not expire
  = key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) <- Accept the default value by clicking Enter

Key does not expire at all
Is this correct? (y/N) y

# Enter a user ID and email 
Real name: 
Email address: 

# Export the private key with the specified id to a file
gpg --output {private key file name and path} --armor --export-secret-keys {key-id}
# Export the public key with the specified id to a file
gpg --output {public key file name and path} --armor --export {key-id}

Signing Release Bundles

If GPG key pair is created with a passphrase, please be sure to copy the passphrase for keepsake (it will be required by JFrog Distribution for signing Release Bundle)

Uploading GPG Keys

To create a trust between JFrog Distribution, source Artifactory and Artifactory Edge nodes, you will need to deploy your GPG keys to each service. 

Upload your GPG keys to the following destinations using the REST API:

  1. Deploy the generated GPG Key pair (public and private) for JFrog Distribution using the Set Signing Key for the Distribution Service REST API. The keys pair will be stored internally in JFrog Distribution.
  2. Deploy the generated GPG public key on the source Artifactory and Artifactory Edge node using the Set GPG Public Key REST API. or the using the UI. The public key will be stored under Security->Trusted Keys on the source Artifactory and Artifactory Edge node.

  • No labels
Copyright © 2020 JFrog Ltd.