Clojars does not verify signatures, it just verifies that if you provided a signature for at least one file in a release you provided them for all. It used to allow you to upload your public GPG key and verify that anything you deploy that was signed with that key, but that was removed (maybe around 2016?) because there was no link to a wider web of trust, IIRC. There is some discussion here, but no real direction or decisions: https://github.com/clojars/clojars-web/discussions/834

The crux of the problem is that consumer side tools could verify signatures, but to do so they need to know what to verify them against, and that relies entirely on manually deciding whether keys are trusted

yeah that was precisely my conclusion too

For Clojure and contrib libs, there are instructions on how to do this at https://clojure.org/releases/download_key but for everything else, this is much harder

thanks for the replies both are super helpful, and basically what I was expecting

Also @U04V5VAUN might have some thoughts. He setup jar signing for some of the clj-commons projects.

For a while, Phil H pushed very hard for people to verify each other's keys "in person" at conferences and meetups and he was the main one pushing for artifact signing and why Leiningen did it by default (but Boot did not -- and tools.deps etc does not). Clojars used to have a two-tiered system where signed JARs could be "promoted" to a sort of "trusted" layer on the repo. That meant a lot of friction for developers, wrestling with the very fragile cryptographic toolchain (extremely painful on Windows and bad enough on Macs -- but fairly straightforward on Linux, where Phil "lived"), so very few JARs ended up being signed -- people just configured Leiningen to not sign artifacts and the two-tiered approach on Clojars was a lot of machinery to support for the handful of folks who were actually using it. I was one of those folks who had horrible experiences with the experience on Mac and got tired of the pro-signing folks repeatedly telling me "it's simple" -- and it was part of the reason I switched my OSS projects from Leiningen to Boot to get away from it. (just to provide a bit more background color on the topic)

I think this is an important area we should have better answers for but I don't think the "web of trust" thing is that answer

but I have chatted a bit with Phil lately about some things in this area and I hope at some point we can do something

I just don't have the bandwidth to do it right now

Has the signing/crypto tooling improved since 2016? (I would hope so with the huge amount of time and effort being spent, in the context of other crypto-based works)

afaict, not one bit

something something blockchain

Setting up the signing process was a royal PITA on my Mac. Getting a signing key onto circle and having circle sign releases to clonâtes was about the same. And I never got around to publish my key to anywhere.

and without that ... it was all for nought

Ah but, no, I could upload that key to somewhere retroactively if I ever found again. But seriously, yes, this whole process need to be more streamlined.

Imagine if this was a service provided by circle or GitHub. They acting as a key server for the public keys, and having fns for signing stuff with a properly configured private key.