Sign me up!

Bintray Premium gives you cool new features such as private repositories, permission management, more storage and so much more. One of the biggest benefits of using a Premium account is the ability to create expirable, signed URLs for your repositories’ content.

Signed URLs you said? What’s that?

A signed URL is an obscure URL with a (potentially) limited lifetime. When your artifacts are published in a private repository, each artifact is hidden from unauthorized Bintray users. If you want to allow any Bintray user, or even or a non-Bintray user to download your package, you can generate a one-time unique URL with an option to limit its validity so that is expires after a certain amount of time. You can also revoke any outstanding URLs at any time.

How does it work?

When you become a premium user in Bintray, your account holds unique, internal, private and public keys. The URL you decide to sign, will be encrypted and decrypted with those keys.

Let’s say user “srubin” has a private repository called “artifactory”.

This private repo contains a file, “artifactory.rar”, that protected from public access. Only authorized users can download it using the standard download link, which is:
https://dl.bintray.com/srubin/artifactory/com/jfrog/artifactorypro/artifactory.rar

Bintray Premium Link Signing

Bintray Premium Link Signing


To allow a one-off download of this file we will generate a signed URL for it using a simple REST call:

curl -XPOST -usrubin:APIKEY "https://api.bintray.com/signed_url/srubin/artifactory/com/jfrog/artifactorypro/artifactory.rar"

Response:

{
"url":"http://dl.bintray.com/srubin/artifactory/com/jfrog/artiafctorypro/artifactory.rar?expiry=1415101346415&signature=BfRaL2HDbCDsPyPThAnlI%2B0TG26NcH4i0ugyKZ%2FjevLiNfEdHXyUh0Q1NNGc1Pz7V1nZkeh9RAafrUyUE%2FMOFQ%3D%3D"
}

By default, this URL will be valid for 24 hours, but we can change that by specifying an expiry time in a simple JSON configuration document:

curl -XPOST -usrubin:APIKEY  -H "Content-Type: application/json"  -d "{\"expiry\":7956915742000}" https://api.bintray.com/signed_url/srubin/artifactory/com/jfrog/artiactorypro/artifactory.rar"

Response:

{
"url":"http://dl.bintray.com/srubin/artifactory/com/jfrog/artiactorypro/artifactory.rar?expiry=7956915742000&signature=g5OC3RXkFhnnFYfsgqFXw9J%2FfmwCzeIsd%2FHCRgm5VjCAhrzij1GPuAv0JwZPhGD0mEqs1y2WcQ77LMrDzp9%3D%3D"
}

More details about this API can be found in our documentation.

Summary

Signed, expirable URLs is a cool new feature of Bintray. It allows you to automate the generation of one-off download URLs and distribute them to any end user.

We will soon extend this feature to make it even cooler. Keep following to see what we have in store for you!

Fight Crime with GPG

So you deliver your awesome library to hundreds of users each day, but they’re a tough bunch and they’re all like:

“Hey man, we gotta see some ID”

So you kneel to the whims of the rabble; you generate your GPG key pair and sign each artifact you deliver, because hell if you’re gonna let someone miss out on your superb code

And let there be no mistake – this road means pain, brother.
Wanna use some organization-wide key pairs? How do you plan to safely share them around?
Wanna make sure all products are properly signed? Good luck configuring each and every of your hundred or so builds!

But this is where Bintray swoops in like The Dark Knight, man! To save you from those GPG signing street gangs!
Because unlike the technological promises made by the second millennium (flying cars and whatnot), Bintray took an oath and will do anything it can to help you deliver!

Damn straight; Bintray can now (optionally, only if you want it to!) manage your GPG keys and sign your Maven artifacts for you, so that you have proof about the authenticity of your goods.
All you’ve got to do, is generate your GPG key pair and associate it with a subject (be it your user or your evil organization):

keys

Your public key will be available for others to download right from your public profile page.

Select a repository signatory:
privatekey
And you’re good to go.
Sign artifacts by deploying through the UI or by using one of the available REST-API commands.

“But Bintray,”

you might ask,

“How can I trust you with my keys?”

“Well son, we here are good people… “

Bintray might answer; but it won’t, because it’s not a sentient being.
But you know what’s better than sympathetic answers? actions!
Bintray also supports password protected key pairs; this means that by issuing a single command over a secure HTTPS connection, you can sign your precious artifacts using a pass-phrase. In any case, we encrypt your private key. It’s safe with us.

Update

Still don’t trust us with your keys? It’s cool, we understand; the world is a dangerous place and we’ve still got you covered!
Bintray now keeps a stock built-in key-pair so that it can auto-sign every file you upload.
To apply, edit your repository’s settings and select GPG sign uploaded files using Bintray’s public /private key pair:
atuosign

So there you have it; enjoy another revision of this fine binary distribution platform.
Peace out