My GPG setup has broken again and I’m postponing publishing new versions of libraries because of that. I’m thinking that maybe I should just give up on signing JARs because as far as I know, nobody actually does anything with the signatures. Personally I’m using deps.edn nowadays and I’m not even sure if anyone has come up with a way to check the signatures with deps.edn. Previously I thought that I should sign the JARs because somebody would hypothetically build a tool and a workflow the check signatures, but this has not happened.
Are there any arguments for signing jars? Is checking signatures part of anyone’s workflow?
I’m in the same boat as you in that my GPG setup broke again and I finally just gave up with GPG. When I switched from Leiningen to Boot, I pretty much stopped signing JARs. One of the Clojars maintainers talked about the percentage of JARs that are signed there and it’s pretty low, I believe, and that was part of why they got rid of the whole promotion thing (only signed JARs could be “promoted” on Clojars).
I think it would be great if signed artifacts could be a real thing in Clojure. Not a lot of languages have a artifact repo that even supports them. Which lead to security issues, where a malicious artifact was pushed in and consumed by a bunch of prod systems.
So personally, I think it could be a good differentiator for Clojure and ClojureScript.
But, it seems the tooling and ecosystem as a whole didn’t really bother, and I admit, signing is a big pain.
Just saying that, I would cheer for any initiative to make signed artifacts a standard and improve the tooling around it so it’s really easy to do.
There’s also a bit of a push for depending on Git SHA/URL pairs which is something almost no other languages do, and that means you’re always working with an immutable source artifact that can be inspected – so maybe that should become more of a preferred model in Clojure than “old-fashioned” JAR files, signed or not?