Updates:

Reached on help on Clojurians from gonewest818

@jiyinyiyong It seems to me (I can’t be sure, because I wasn’t using clojure back then) the clojars developers implemented gpg and ssh key verification, but due to whatever problems and confusion it created they backed that functionality out.

So where old documentation says stuff like “create a clojars account, and then go into your clojars profile and upload a ssh and a gpg public key” those screens are no longer in the clojars UI.

In the wiki documentation it now says, simply that it will check “if any signature is uploaded, then every artifact has a signature” but what that is NOT saying is “we confirm the signature belongs to the clojars account that is attempting to do the publishing” https://github.com/clojars/clojars-web/wiki/pushing#validations

If you do a lein deps :verify in an existing project, you’ll probably see a mixture of :signed and :unsigned jars in your projects. If you read the verbose gpg output that gets printed to your shell you’ll also probably see statements like

gpg: WARNING: This key has been revoked by its owner! gpg: This could mean that the signature is forged.

and

gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.

and

gpg: Note: This key has expired!

And clojars developers seem very aware of these issues and (I think correctly) diagnosed the root problem: “…not many people promoted their artifacts, and there were minimal security benefits from signing the JARs, as people didn’t have a web of trust to validate that the GPG signature actually chained to people they trusted.” See for example https://groups.google.com/forum/#!topic/clojure/-AIn1QlWyFs

So the bottom line is, you can take the steps to generate a gpg keypair, sign and publish your public key to a keyserver, and make the necessary changes in profiles.clj to make sure artifacts are signed with the private key. You don’t need to submit your public key to clojars because clojars doesn’t verify signatures anymore. While leiningen can verify signatures, if you lift up that rock you may be disturbed by what you find underneath.

Not sure I would say “people barely sign their jars” because I really don’t know what the statistics are. I suppose one could crawl the clojars repo and count the signed ones and find out. In my view the bigger issue is that even when people sign jars, the signatures aren’t meaningful unless the community makes the investment in building the necessary web of trust around the keys. The web of trust is necessary because it establishes the relationship between the keys and their owners. It’s not enough to have a signature on the file, you also need to know the signature is associated to the right person (the legitimate author of that library) and that you can trust that person.

Then I know at least I can start sending unsigned packages, which is much simpler with help of https://github.com/boot-clj/boot/wiki/Repository-Credentials-and-Deploying#basic-operation

And I ended up with a built.boot like:

(defn read-password [guide] (String/valueOf (.readPassword (System/console) guide nil))) (set-env! :resource-paths #{"src"} :dependencies '[] :repositories #(conj % ["clojars" {:url "https://clojars.org/repo/" :username "jiyinyiyong" :password (read-password "Clojars password: ")}])) (def +version+ "0.2.0-alpha6") (deftask deploy [] (comp (pom :project 'respo/reel :version +version+ :description "Time travel demo for Respo" :url "https://github.com/Respo/reel" :scm {:url "https://github.com/Respo/reel"} :license {"MIT" "http://opensource.org/licenses/mit-license.php"}) (jar) (push :repo "clojars" :gpg-sign false)))

This line says I don’t want to sign my package:

(push :repo "clojars" :gpg-sign false)

Meanwhile I still need to type the password. That’s okay.