Signing Keys
Cloudsmith uses GPG or RSA signatures (where applicable) in addition to package checksums to detect tampering.
We calculate a signature for every file that is uploaded, but only some of the package formats make it available or use it. Only some of the formats also offer metadata signing.
For increased trust, you can also provide your own GPG key or RSA key for signing.
Key Support by Package Format
| Package Format | Key Type | Key Use |
|---|---|---|
| Alpine | RSA | Index |
| Cargo | Not Supported by Format | |
| CocoaPods | Not Supported by Format | |
| Composer | GPG | |
| Conan | Not Supported by Format | |
| CRAN | ||
| Dart | Not Supported by Format | |
| Debian | GPG | Index |
| Docker | RSA | Index |
| Go | ||
| Gradle | GPG | Index Packages |
| Helm Charts | GPG | |
| LuaRocks | ||
| Maven | GPG | Index Packages |
| npm | GPG | |
| NuGet | ||
| Python | GPG | |
| Raw | GPG | |
| RPM | GPG | Index Packages |
| Ruby | GPG | |
| sbt | GPG | Index Packages |
| Terraform Modules | Not Supported by Format | |
| Unity Registry | GPG | |
| Vagrant | GPG |
Updated about 4 years ago
