Signing Keys

Cloudsmith uses GPG or RSA signatures (where applicable) in addition to package checksums to detect tampering.

We calculate a signature for every file that is uploaded, but only some of the package formats make it available or use it. Only some of the formats also offer metadata signing.

For increased trust, you can also provide your own GPG key or RSA key for signing.

Key Support by Package Format

Package Format

Key Type

Key Use

Alpine

RSA

Index

Cargo

Not Supported by Format

CocoaPods

Not Supported by Format

Composer

GPG

Conan

Not Supported by Format

CRAN

Dart

Not Supported by Format

Debian

GPG

Index

Docker

RSA

Index

Go

Gradle

GPG

Index Packages

Helm Charts

GPG

LuaRocks

Maven

GPG

Index Packages

npm

GPG

NuGet

Python

GPG

Raw

GPG

RPM

GPG

Index Packages

Ruby

GPG

sbt

GPG

Index Packages

Terraform Modules

Not Supported by Format

Unity Registry

GPG

Vagrant

GPG


Did this page help you?

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)