Multiple GPG Signing Keys

JFrog Distribution Documentation

Products
JFrog Distribution
Content Type
User Guide
ft:sourceType
Paligo

Starting from version 2.8.1, Distribution now supports managing multiple pairs of GPG signing keys to sign Release Bundles using a set of REST APIs. This enables you to assign a signing key pair per Release Bundle providing you with the granularity to choose which keys to use to sign the Release Bundles instead of using the same key pair to sign all.

Post Upgrade Guidelines

When upgrading from a previous version containing GPG Keys to Distribution version 2.8.1, with the new multiple GPG signing keys feature there are a few considerations:

  • The existing GPG signing keys will be preserved and named default-gpg-key.

  • Release Bundles should be assigned with key pairs using the:

  • For each of the key pairs, you need to provide an Alias (mandatory). If an alias is not provided, the name generated consists of GPG and timestamp.

This feature is supported through REST API, the following are the new REST APIs in addition to the existing ones: