Why are clojure release artifacts not signed using GPG?

Question

Hello,

While trying to verify the authenticity of the dependencies of a project which uses Leiningen, I was surprised to discover that Clojure release artifacts were not signed using GPG.

$ lein deps :verify

[...]
:unsigned [org.clojure/clojure "1.10.1" :scope "provided"]
:unsigned [org.clojure/core.specs.alpha "0.2.44" :scope "provided"]
:unsigned [org.clojure/spec.alpha "0.2.176" :scope "provided"]
:unsigned [org.clojure/tools.logging "1.1.0"]
:unsigned [org.clojure/tools.namespace "1.0.0" :scope "test"]
:unsigned [org.clojure/java.classpath "1.0.0" :scope "test"]
:unsigned [org.clojure/tools.reader "1.3.2" :scope "test"]

I thinks it is important for widely used tools such as Clojure to provide ways for people to check the authenticity of the delivered artifacts, and not require them to trust only the artifact registries like Clojars to not be compromised.

Since PGP signatures are relatively widespread for that matter, I wonder if it would be possible for future releases of Clojure (and other tools maintained in the 'org.clojure' group id to be signed by the person in charge of the release ?

Thanks

Answer 1

All Clojure artifacts are signed by GPG and signatures are on Maven central. You can find key authentication information at https://clojure.org/releases/download_key

Why Leiningen says that, I don’t know - that would be a question you could ask the maintainers.

Comments

Excellent, I will investigate more to understand why leiningen fails to find the signature.