Formats/Swift

Secure, private Swift package hosting in the cloud

Cloudsmith gives your team a fully managed, cloud-native Swift registry. Push and pull packages using native Swift Package Manager tooling, enforce access controls with entitlement tokens, and distribute to every engineer and pipeline via 600+ global edge locations.

Swift package management

One registry for Swift and every other format your teams rely on.

  • Use Swift + 30 other formats in a single Cloudsmith repository
  • Store containers, Swift packages, and raw assets side by side
  • Centralise your entire software supply chain in one managed platform

How we support Swift

Cloudsmith is a fully managed Swift package registry built for teams that need security, speed, and complete control over their software supply chain.
    Native Swift Package Manager support
    Push and pull packages using standard SPM tooling with Swift 5.9 and above. Configure your registry globally or per project, and authenticate via API token with no custom tooling required.
    Package signing and verification
    Cloudsmith is the first artifact management platform to offer Swift native signing. Packages are signed automatically on upload using ECDSA X.509 certificates, giving consumers cryptographic proof of authenticity.
    Global CDN distribution
    Your Swift packages are served from 600+ edge points of presence worldwide, keeping build times low regardless of where your engineers and CI pipelines are located.
    Entitlement tokens and access control
    Issue read-only entitlement tokens to control exactly who and what can consume your packages. Combine with SAML, SSO, and SCIM to manage team access at enterprise scale.
    Upstream proxying and caching
    Proxy public Swift package sources through Cloudsmith and cache resolved dependencies. Your builds stay fast and resilient even when upstream registries are slow or unavailable.

Why teams choose Cloudsmith for Swift

Self-hosted registries and ad-hoc Git-based workflows create friction and risk. Cloudsmith removes the ops burden and gives your team a private, auditable, high-performance registry from day one.
Without CloudsmithSwift packages are distributed from Git repositories with no access controls, making it impossible to enforce who can pull internal dependencies or audit what was consumed.
With CloudsmithCloudsmith gives you private repositories with entitlement token authentication, full audit logs, and per-package access controls so you always know exactly who consumed what.
Without CloudsmithTeams rely on public registries or manually managed Git tags for versioning, leading to slow builds when upstream sources are unavailable and no caching layer to absorb failures.
With CloudsmithCloudsmith caches resolved Swift packages close to your teams via 600+ edge PoPs and upstream proxying, keeping builds fast and reliable regardless of public registry availability.
Without CloudsmithSwift packages are distributed unsigned, leaving pipelines exposed to dependency tampering. There is no simple way to verify a package hasn't been modified since it was published.
With CloudsmithCloudsmith automatically signs Swift packages with ECDSA X.509 certificates on upload. Every consumer gets cryptographic proof the package is legitimate and unmodified.

Signs you're ready to switch to Cloudsmith for Swift

If your current setup is adding friction to Swift development or leaving gaps in your security posture, Cloudsmith gives you a clear upgrade path with zero self-hosted infrastructure to manage.
    No private registry for internal packages
    Sharing Swift packages via Git URLs works until your codebase grows. Cloudsmith gives you a proper private registry with versioning, access control, and a stable URL from day one.
    Missing package signing
    Unsigned packages leave your supply chain open to tampering. Cloudsmith automatically signs every Swift package on upload, so developers always receive verified, trusted artifacts.
    Slow builds caused by remote dependency resolution
    Pulling packages from public Git repositories or distant registries on every build slows CI down. Cloudsmith's global CDN and upstream caching keep resolution fast and consistent.
    Fragmented tooling across formats
    Running a separate registry for Swift, Docker, and other formats creates maintenance overhead. Cloudsmith supports 30+ formats in one platform, so your whole supply chain lives together.
    No vulnerability scanning on package ingestion
    Third-party Swift dependencies can carry CVEs that slip through unnoticed. Cloudsmith scans packages on upload and applies policy gates before they ever reach your build pipelines.

Get started with Swift on Cloudsmith

Frequently asked questions

  1. Cloudsmith supports Swift Package Manager version 5.9 and above. You can publish packages using the native swift package-registry commands and authenticate using your Cloudsmith API token.

  2. Run swift package-registry set with your Cloudsmith repository URL to configure the registry per project, or add the --global flag to set it as the default for your entire development environment. Full setup instructions are in the Cloudsmith documentation.

  3. Yes. Cloudsmith is the first artifact management platform to offer native Swift package signing. When signing is enabled on a repository, every uploaded package is automatically signed using an ECDSA private key and X.509 certificate, giving consumers cryptographic verification of package authenticity.

  4. Yes. You can configure upstream sources in Cloudsmith so that public Swift packages are proxied and cached within your repository. This speeds up builds and keeps your pipelines resilient if an upstream registry is slow or unavailable.

  5. Cloudsmith uses entitlement tokens to control read access to your packages. You can issue scoped, read-only tokens for specific consumers or pipelines. For team access, Cloudsmith supports SAML, SSO, and SCIM to manage identity and permissions at enterprise scale.

  6. Yes. Cloudsmith repositories support 30+ formats, so you can store Swift packages, Docker images, and other artifacts in the same workspace. This removes the need for separate registries and gives you a single pane of glass for your entire software supply chain.

  7. Cloudsmith scans packages for known vulnerabilities on upload and surfaces findings in the package insights dashboard. You can combine scanning with policy-as-code using OPA Rego to automatically quarantine or block packages that fail your security criteria.

  8. You can upload existing Swift packages directly via the Cloudsmith CLI, the web app, or the API. Once packages are in Cloudsmith, updating your projects to point at the new registry URL is a single command. The Cloudsmith team is available to help with migration planning.

  9. Yes. Cloudsmith supports public, private, and open-source Swift repositories on all plans. Public repositories are accessible without authentication, while private repositories require entitlement token or API key authentication.

  10. Yes. After generating your Swift package archive with swift package archive-source, you can publish it to Cloudsmith using the cloudsmith push swift command with your workspace, repository, package name, version, and scope. Full CLI reference is available in the Cloudsmith documentation.

Formats

There’s more than just Swift on Cloudsmith