Signing Release Bundles
GPG keys need to be at least 2K.
Note
If you are using a Vault see Vault for instructions.
The way to generate private and public GPG keys is platform-dependent.
The following example displays how to generate the keys on Linux requiring GPG version 2.1 and higher.
Generating GPG keys
# Generate the keys gpg --full-generate-key # Select RSA Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) # Select the size of the key you may use the default value. RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) # Select the validation for the key (0 will not expire) 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) <- Accept the default value by clicking Enter Key does not expire at all Is this correct? (y/N) y # Enter a user ID and email Real name: Email address: Comment: # Export the private key with the specified id to a file gpg --output {private key file name and path} --armor --export-secret-keys {key-id} # Export the public key with the specified id to a file gpg --output {public key file name and path} --armor --export {key-id}
Don't forget to click "Save"
Up to version 7.16.6, to ensure that your signing keys are properly stored in Artifactory's database, you will need to click Save even if your signing keys do not have a passphrase.
Signing Release Bundles
If the GPG key pair is created using passphrase, please be sure to copy the passphrase for keepsake as it will be required by JFrog Distribution for signing the Release Bundle.