While trying to verify the authenticity of the dependencies of a project which uses Leiningen, I was surprised to discover that Clojure release artifacts were not signed using GPG.
$ lein deps :verify
:unsigned [org.clojure/clojure "1.10.1" :scope "provided"]
:unsigned [org.clojure/core.specs.alpha "0.2.44" :scope "provided"]
:unsigned [org.clojure/spec.alpha "0.2.176" :scope "provided"]
:unsigned [org.clojure/tools.logging "1.1.0"]
:unsigned [org.clojure/tools.namespace "1.0.0" :scope "test"]
:unsigned [org.clojure/java.classpath "1.0.0" :scope "test"]
:unsigned [org.clojure/tools.reader "1.3.2" :scope "test"]
I thinks it is important for widely used tools such as Clojure to provide ways for people to check the authenticity of the delivered artifacts, and not require them to trust only the artifact registries like Clojars to not be compromised.
Since PGP signatures are relatively widespread for that matter, I wonder if it would be possible for future releases of Clojure (and other tools maintained in the 'org.clojure' group id to be signed by the person in charge of the release ?