Cloudsmith has always performed signature and checksum validation at the core of the service - and today, we're introducing three awesome new ways to surface this information!
The package information page now includes a link to retrieve the raw GPG signature for a package, using all of the same authentication schemes we support for packages.
The package resource in the Cloudsmith API now provides a URL to retrieve the raw signature for a package and package file via the attribute signature_url.
Last (but by no means least) - our raw format has been updated to provide signature URLs on both our HTML and JSON indexes (where enabled within your repository). You can also append .asc to any raw file URL to retrieve the package signature directly.
These changes (and more upcoming) aim to give more visibility into the provenance of your software.
Thanks for subscribing!
Check your inbox to verify your email