Starting from version 2.8.1, Distribution now supports managing multiple pairs of GPG signing keys to sign Release Bundles using a set of REST APIs. This enables you to assign a signing key pair per Release Bundle providing you with the granularity to choose which keys to use to sign the Release Bundles instead of using the same key pair to sign all.
Post Upgrade Guidelines
When upgrading from a previous version containing GPG Keys to Distribution version 2.8.1, with the new multiple GPG signing keys feature there are a few considerations:
The existing GPG signing keys will be preserved and named
default-gpg-key
.Release Bundles should be assigned with key pairs using the:
Upload and Propagate GPG Signing Keys for Distribution REST API: To upload the multiple keys using the additional parameters
alias
anddefault
.Sign Release Bundle Version: To sign the Release Bundle using the additional parameter
signing_key_alias
.
For each of the key pairs, you need to provide an Alias (mandatory). If an alias is not provided, the name generated consists of GPG and timestamp.
This feature is supported through REST API, the following are the new REST APIs in addition to the existing ones: