Signing Keys

Cloudsmith uses GPG or RSA signatures (where applicable) in addition to package checksums to detect tampering.

We calculate a signature for every file that is uploaded, but only some of the package formats make it available or use it. Only some of the formats also offer metadata signing.

For increased trust, you can also provide your own GPG key or RSA key for signing.

Key Support by Package Format

Package Format	Key Type	Key Use
Alpine	RSA	Index
Cargo		Not Supported by Format
CocoaPods		Not Supported by Format
Composer	GPG
Conan		Not Supported by Format
CRAN
Dart		Not Supported by Format
Debian	GPG	Index
Docker	RSA	Index
Go
Gradle	GPG	Index Packages
Helm Charts	GPG
LuaRocks
Maven	GPG	Index Packages
npm	GPG
NuGet
Python	GPG
Raw	GPG
RPM	GPG	Index Packages
Ruby	GPG
sbt	GPG	Index Packages
Terraform Modules		Not Supported by Format
Unity Registry	GPG
Vagrant	GPG

Updated almost 2 years ago

Did this page help you?

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.

Start My Free Trial Now

Cookie Declaration (Manage Cookies)