Should you sign JARs you publish on Clojars?


#1

My GPG setup has broken again and I’m postponing publishing new versions of libraries because of that. I’m thinking that maybe I should just give up on signing JARs because as far as I know, nobody actually does anything with the signatures. Personally I’m using deps.edn nowadays and I’m not even sure if anyone has come up with a way to check the signatures with deps.edn. Previously I thought that I should sign the JARs because somebody would hypothetically build a tool and a workflow the check signatures, but this has not happened.

Are there any arguments for signing jars? Is checking signatures part of anyone’s workflow?


#2

I’m in the same boat as you in that my GPG setup broke again and I finally just gave up with GPG. When I switched from Leiningen to Boot, I pretty much stopped signing JARs. One of the Clojars maintainers talked about the percentage of JARs that are signed there and it’s pretty low, I believe, and that was part of why they got rid of the whole promotion thing (only signed JARs could be “promoted” on Clojars).


#3

I think it would be great if signed artifacts could be a real thing in Clojure. Not a lot of languages have a artifact repo that even supports them. Which lead to security issues, where a malicious artifact was pushed in and consumed by a bunch of prod systems.

So personally, I think it could be a good differentiator for Clojure and ClojureScript.

But, it seems the tooling and ecosystem as a whole didn’t really bother, and I admit, signing is a big pain.

Just saying that, I would cheer for any initiative to make signed artifacts a standard and improve the tooling around it so it’s really easy to do.


#4

There’s also a bit of a push for depending on Git SHA/URL pairs which is something almost no other languages do, and that means you’re always working with an immutable source artifact that can be inspected – so maybe that should become more of a preferred model in Clojure than “old-fashioned” JAR files, signed or not?