2

I recently deployed a library to Clojars and tried to ensure that it was signed, but can't see any evidence of that one way or the other.

Here are the steps I followed:

I already have gpg installed (Linux system), gpg-agent running and have generated public/private key pair. I also added my GPG public key to Clojars when I signed up.

I created ~/.lein/credentials.clj with:

{#"https://clojars.org/repo"
  {:username "midpeter444" :password "passw0rd"}}

I then ran:

gpg --default-recipient-self -e ~/.lein/credentials.clj > ~/.lein/credentials.clj.gpg

and then deleted ~/.lein/credentials.clj

In my lein project directory, I ran:

lein deploy clojars

It prompted me twice (via gpg-agent) to enter my password, which I did and then it uploaded the jar to Clojars.

So it seemed like it worked, but when I look at my library on the Clojars site or at the library after I download it from Clojars I can't see any evidence that it is signed or whether it failed.

Do I need do anything else, like add a note in the project.clj to sign it somehow?

4

2 回答 2

2
  • Log in to clojars
  • Once at the dashboard, click on the library in question
  • Check the promotion section

If the jar is not signed, you'll see a message like:

  • /home/clojars/repo/blah/blah/0.0.1/blah-0.0.1.jar is not signed.
于 2013-03-03T00:08:29.213 回答
2

After researching it some more, lein 2 will automatically sign your jars if you have added your PGP public key to your Clojars account. If you run lein deps :verify it will tell you whether the library is signed.

So you can create a project that uses your published library and run this command.

Example output:

$ lein deps :verify
:signed [criterium "0.3.1"]
:unsigned [enlive "1.0.1"]
:signed [org.clojure/tools.macro "0.1.1"]
:signed [org.clojure/clojure "1.5.0"]
:bad-signature [thornydev/go-lightly "0.4.0"]

I see that mine (go-lightly) is marked as having a bad signature, so now I need to figure out why. The Clojars site did not tell me this (or at least I don't know where to look for it), so I think using lein deps :verify is the better answer.

[Update]: The bad signature came about because I tried to redeploy a library (same version) after I had already promoted it, uncovering a bug in the Clojars system (currently being fixed).

If you do get a :bad-signature, you'll need to redeploy to Clojars (after the Clojars guys remove the bad lib). Then to check whether the signature is correct, make sure to delete that library from your local ~/.m2 repo so that the new one will be downloaded and checked for valid signature.

于 2013-03-03T03:26:09.237 回答