Have a question? Want to report an issue? Contact JFrog support

Skip to end of metadata
Go to start of metadata

Overview

Artifactory lets you manage a pair of GPG signing keys so you can sign packages for authentication in several formats such as Debian, Opkg and YUM. You can manage your GPG signing keys in the Admin module under Security | Signing Keys.

Generating Keys

The way to generate keys is platform dependent. 

The example below shows how to generate the public and private keys on Linux:

Page Contents

Generating PGP keys
# generate the keys
gpg --gen-key
 
# list all keys in your system and select the pair you want to use in Artifactory
gpg --list-keys

# resolve the key-id from the lists-keys by selecting the relevant license
pub   2048R/8D463A47 2015-01-19      
uid   JonSmith (Jon) <jon.smith@jfrog.com>
key-id =  8D463A47

#export the private key with the specified id to a file
gpg --output {private key file name and path} --armor --export-secret-keys {key-id}
 
#export the public key with the specified id to a file
gpg --output {public key file name and path} --armor --export {key-id}

You also need to specify a pass phrase that must be used together with the signing keys. The pass phrase can be saved, or passed in with a REST API call.

Uploading Keys

To upload your signing keys, in the Admin tab, go to Security | Signing Keys.

Manage GPG signing keys

Once you have specified the key file, select the "Upload" button for the corresponding field.

Artifactory will indicate when keys are installed, and you can click on the Public key is installed link to download the public key.

If your signing keys were created with a pass-phrase, enter it in the designated field. You can click "Verify" to make sure the pass-phrase matches the uploaded keys.

Click "Save" to save your changes.

Don't forget to click "Save"

To ensure that your signing keys are properly stored in Artifactory's database, you need to click "Save" even if your signing keys do not have a pass-phrase.

Upload your pass-phrase with REST

If you prefer not to upload your pass phrase using the UI, you can set it using the REST API

Downloading the Public Key

Once you have uploaded your signing keys, you can download your public key whenever needed using the Public key is installed link. 

 

 

 


  • No labels