Welcome! Please see the About page for a little more info on how this works.

0 votes
in Clojure by
edited by

Hello,

While trying to verify the authenticity of the dependencies of a project which uses Leiningen, I was surprised to discover that Clojure release artifacts were not signed using GPG.

$ lein deps :verify

[...]
:unsigned [org.clojure/clojure "1.10.1" :scope "provided"]
:unsigned [org.clojure/core.specs.alpha "0.2.44" :scope "provided"]
:unsigned [org.clojure/spec.alpha "0.2.176" :scope "provided"]
:unsigned [org.clojure/tools.logging "1.1.0"]
:unsigned [org.clojure/tools.namespace "1.0.0" :scope "test"]
:unsigned [org.clojure/java.classpath "1.0.0" :scope "test"]
:unsigned [org.clojure/tools.reader "1.3.2" :scope "test"]

I thinks it is important for widely used tools such as Clojure to provide ways for people to check the authenticity of the delivered artifacts, and not require them to trust only the artifact registries like Clojars to not be compromised.

Since PGP signatures are relatively widespread for that matter, I wonder if it would be possible for future releases of Clojure (and other tools maintained in the 'org.clojure' group id to be signed by the person in charge of the release ?

Thanks

1 Answer

+1 vote
by
selected by
 
Best answer

All Clojure artifacts are signed by GPG and signatures are on Maven central. You can find key authentication information at https://clojure.org/releases/download_key

Why Leiningen says that, I don’t know - that would be a question you could ask the maintainers.

by
Excellent, I will investigate more to understand why leiningen fails to find the signature.
...