I recently deployed a library to Clojars and tried to ensure that it was signed, but can't see any evidence of that one way or the other.
Here are the steps I followed:
I already have gpg installed (Linux system), gpg-agent running and have generated public/private key pair. I also added my GPG public key to Clojars when I signed up.
I created ~/.lein/credentials.clj with:
{#"https://clojars.org/repo"
{:username "midpeter444" :password "passw0rd"}}
I then ran:
gpg --default-recipient-self -e ~/.lein/credentials.clj > ~/.lein/credentials.clj.gpg
and then deleted ~/.lein/credentials.clj
In my lein project directory, I ran:
lein deploy clojars
It prompted me twice (via gpg-agent) to enter my password, which I did and then it uploaded the jar to Clojars.
So it seemed like it worked, but when I look at my library on the Clojars site or at the library after I download it from Clojars I can't see any evidence that it is signed or whether it failed.
Do I need do anything else, like add a note in the project.clj to sign it somehow?