Please, how do you configure GPG and Clojars?

Migrating to my new Macbook, configuring GPG is a pain. The guide I read before seems not matching current GPG. I don’t know what to do now. :frowning:

By now I’m committing my code in the new one and use the old Macbook to deploy my code to Clojars. Really hate.

It’s much easier to publish code to npm anyways.

I’ve published so many packages… definitely not new to ClojureScript. But it’s still hard to get Clojars work. :anger:


Reached on help on Clojurians from gonewest818

@jiyinyiyong It seems to me (I can’t be sure, because I wasn’t using clojure back then) the clojars developers implemented gpg and ssh key verification, but due to whatever problems and confusion it created they backed that functionality out.

So where old documentation says stuff like “create a clojars account, and then go into your clojars profile and upload a ssh and a gpg public key” those screens are no longer in the clojars UI.

In the wiki documentation it now says, simply that it will check “if any signature is uploaded, then every artifact has a signature” but what that is NOT saying is “we confirm the signature belongs to the clojars account that is attempting to do the publishing”

If you do a lein deps :verify in an existing project, you’ll probably see a mixture of :signed and :unsigned jars in your projects. If you read the verbose gpg output that gets printed to your shell you’ll also probably see statements like

gpg: WARNING: This key has been revoked by its owner!
gpg:          This could mean that the signature is forged.


gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.


gpg: Note: This key has expired!

And clojars developers seem very aware of these issues and (I think correctly) diagnosed the root problem: “…not many people promoted their artifacts, and there were minimal security benefits from signing the JARs, as people didn’t have a web of trust to validate that the GPG signature actually chained to people they trusted.” See for example!topic/clojure/-AIn1QlWyFs

So the bottom line is, you can take the steps to generate a gpg keypair, sign and publish your public key to a keyserver, and make the necessary changes in profiles.clj to make sure artifacts are signed with the private key. You don’t need to submit your public key to clojars because clojars doesn’t verify signatures anymore. While leiningen can verify signatures, if you lift up that rock you may be disturbed by what you find underneath.

Not sure I would say “people barely sign their jars” because I really don’t know what the statistics are. I suppose one could crawl the clojars repo and count the signed ones and find out. In my view the bigger issue is that even when people sign jars, the signatures aren’t meaningful unless the community makes the investment in building the necessary web of trust around the keys. The web of trust is necessary because it establishes the relationship between the keys and their owners. It’s not enough to have a signature on the file, you also need to know the signature is associated to the right person (the legitimate author of that library) and that you can trust that person.

Then I know at least I can start sending unsigned packages, which is much simpler with help of

And I ended up with a built.boot like:

(defn read-password [guide]
  (String/valueOf (.readPassword (System/console) guide nil)))

  :resource-paths #{"src"}
  :dependencies '[]
  :repositories #(conj % ["clojars" {:url ""
                                     :username "jiyinyiyong"
                                     :password (read-password "Clojars password: ")}]))

(def +version+ "0.2.0-alpha6")

(deftask deploy []
    (pom :project     'respo/reel
         :version     +version+
         :description "Time travel demo for Respo"
         :url         ""
         :scm         {:url ""}
         :license     {"MIT" ""})
    (push :repo "clojars" :gpg-sign false)))

This line says I don’t want to sign my package:

(push :repo "clojars" :gpg-sign false)

Meanwhile I still need to type the password. That’s okay.

1 Like

I’m pretty sure the :gpg-sign option defaults to false so you can omit that.

You could put the read-password function (nice touch, by the way), and the update of the "clojars" repository into your ~/.boot/profile.boot file so you don’t have to have it in your project’s build.boot file (and then it will automatically apply to all your projects).

I use Boot’s configure-repositories! function in my ~/.boot/profile.boot file to set usernames and passwords for my commonly accessed repositories, so I don’t get prompted for username/password for Clojars when deploying.

I saw Boot doing that. Is was like reading a encrypted file. Maybe I should try using a EDN there for my name and password. I just don’t get how Boot works.