Blog Home

Fight Crime with GPG

By Noam Tenna

3 min read

So you deliver your awesome library to hundreds of users each day, but they’re a tough bunch and they’re all like:

“Hey man, we gotta see some ID”

So you kneel to the whims of the rabble; you generate your GPG key pair and sign each artifact you deliver, because hell if you’re gonna let someone miss out on your superb code

And let there be no mistake – this road means pain, brother.
Wanna use some organization-wide key pairs? How do you plan to safely share them around?
Wanna make sure all products are properly signed? Good luck configuring each and every of your hundred or so builds!

But this is where Bintray swoops in like The Dark Knight, man! To save you from those GPG signing street gangs!
Because unlike the technological promises made by the second millennium (flying cars and whatnot), Bintray took an oath and will do anything it can to help you deliver!

Damn straight; Bintray can now (optionally, only if you want it to!) manage your GPG keys and sign your Maven artifacts for you, so that you have proof about the authenticity of your goods.
All you’ve got to do, is generate your GPG key pair and associate it with a subject (be it your user or your evil organization):

keys

Your public key will be available for others to download right from your public profile page.

Select a repository signatory:
privatekey
And you’re good to go.
Sign artifacts by deploying through the UI or by using one of the available REST-API commands.

“But Bintray,”

you might ask,

“How can I trust you with my keys?”

“Well son, we here are good people… “

Bintray might answer; but it won’t, because it’s not a sentient being.
But you know what’s better than sympathetic answers? actions!
Bintray also supports password protected key pairs; this means that by issuing a single command over a secure HTTPS connection, you can sign your precious artifacts using a pass-phrase. In any case, we encrypt your private key. It’s safe with us.

Update

Still don’t trust us with your keys? It’s cool, we understand; the world is a dangerous place and we’ve still got you covered!
Bintray now keeps a stock built-in key-pair so that it can auto-sign every file you upload.
To apply, edit your repository’s settings and select GPG sign uploaded files using Bintray’s public /private key pair:
atuosign

So there you have it; enjoy another revision of this fine binary distribution platform.
Peace out

Popular Tags

Try the JFrog Platform

In the cloud or self-hosted

Start Free

or Book a Demo