GPG Signing

A number of package managers support using GPG signing as a way to verify the authenticity of packages installed from a repository.

Enabling GPG signing

Proceed to Settings→Features on your dashboard and follow the Manage link to acces GPG settings for your account. You’ll be able to upload your custom GPG key and enable signing for your repositories.

Generating a GPG key

You can generate a new GPG key pair by following these steps. But you will first need to install GPG tools on your machine.

Once you have that CLI in place, run the following command to generate the key pair:

$ gpg --full-generate-key

We recommend using the default algorithm with at least 4096 bits of encryption. Leaving expiration blank will generate a key without expiration.

Exporting a GPG key

Once you’ve generated a key, you’ll need to have its ID to export it from your machine. You can list the local keys with:

$ gpg --list-secret-keys --keyid-format=long

Once you have the ID for your key, export it into ASCII-armored format with the following command:

$ gpg --armor --export-secret-key KEYID > private.key

Now, upload the contents of private.key to Gemfury as described above to update your Gemfury GPG signing key.