This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2023-04-11
Channels
- # announcements (13)
- # babashka (13)
- # babashka-sci-dev (2)
- # beginners (80)
- # clerk (11)
- # clj-commons (4)
- # cljs-dev (1)
- # cljsrn (1)
- # clojars (19)
- # clojure (48)
- # clojure-austin (2)
- # clojure-australia (1)
- # clojure-china (1)
- # clojure-europe (26)
- # clojure-filipino (1)
- # clojure-hk (1)
- # clojure-hungary (32)
- # clojure-indonesia (1)
- # clojure-japan (1)
- # clojure-korea (1)
- # clojure-my (1)
- # clojure-nl (1)
- # clojure-norway (6)
- # clojure-sg (1)
- # clojure-taiwan (1)
- # clojure-uk (2)
- # community-development (7)
- # datomic (15)
- # emacs (6)
- # fulcro (2)
- # gratitude (1)
- # hoplon (3)
- # hyperfiddle (28)
- # inf-clojure (14)
- # introduce-yourself (1)
- # jobs (1)
- # joyride (4)
- # lsp (50)
- # malli (4)
- # nrepl (2)
- # polylith (12)
- # shadow-cljs (27)
- # spacemacs (3)
- # sql (8)
- # tools-build (11)
- # xtdb (22)
Hey. I’ve been deploying to clojars for years. This morning I’m getting:
Uploaded to clojars: (146 kB at 65 kB/s)
Downloading from clojars:
Downloaded from clojars: (6.7 kB at 28 kB/s)
Uploading to clojars:
Uploaded to clojars: (1.1 kB at 610 B/s)
Uploading to clojars:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 9.102 s
[INFO] Finished at: 2023-04-11T12:02:09-07:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:3.1.0:deploy (default-deploy) on project fulcro-rad: Failed to deploy metadata: Could not transfer metadata com.fulcrologic:fulcro-rad/maven-metadata.xml from/to clojars (): status code: 403, reason phrase: Forbidden - no checksums provided for fulcro-rad-1.4.9-20230411.190200-1.pom.asc (403) -> [Help 1]
seems like signing stopped working? I’ve been signing my artifacts forever (and yes my public key is published in the GPG ecosystem). It seems so odd to not sign artifacts to me, and this is a regression. I’ve uploaded signed stuff for literally my entire existence as an OSS developer.
Hi @tony.kay! Nothing has changed on the Clojars side in years, but based on the other thread, it sounds like maven/aether stopped providing checksum files for signatures in a recent release. There's a workaround in that thread for a sysprop to turn it back on, but if the maven folks don't care about checksums for signature files, maybe clojars shouldn't either?
I don’t see why you’d ever care about a checksum on a signature…the signature is already a proof. It the checksum is wrong the proof will fail, and ppl will consider it a bad release (if they care to check)
That's a good point. When I implemented the validation, all tools sent checksums with the signatures (along with checksums for all files), so the validation was "if you send a checksum, you have to send a checksum for everything". But that no longer makes sense.
To enable them again, you have to set aether.checksums.omitChecksumsForExtensions
explicitly to an empty string (`""`)
Based on discussion here https://github.com/slipset/deps-deploy/pull/53, linked from this thread: https://clojurians.slack.com/archives/C0H28NMAS/p1679955780176239 (no need to read that thread, just linking for completeness)
I created https://github.com/clojars/clojars-web/issues/859 to fix this, but I'm not sure when I'll be able to get to it.
For those using raw maven, here is the fix: Edit your ~/.m2/settings.xml, and add this section:
<settings>
...
<profiles>
<profile>
<id>checksums</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<aether.checksums.omitChecksumsForExtensions></aether.checksums.omitChecksumsForExtensions>
</properties>
</profile>
</profiles>
<activeProfiles>
<activeProfile>checksums</activeProfile>
</activeProfiles>
</settings>