How much do GPG signatures matter on Clojars artifacts? ๐งต
As I was preparing the https://clojurians.slack.com/archives/C0GQAAKA9/p1761409069083369?thread_ts=1760809134.202389&cid=C0GQAAKA9, I realized I had lost the GPG key I signed with in the past.
lein deploy clojars defaulted to a different GPG keypair. But I have never shared the public key of that pair.
So the release artifacts are signed, but with a key that no one can verify.
Which got me thinking: Does anyone actually verify GPG signatures on release artifacts?
and if I wanted to verify signatures, where would I find the public keys?
No, no one verifies signatures
And one of the main reasons is that finding the public keys is a) a treasure hunt of public key servers and b) how do you know if thatโs the key to trust?
For Clojure core and contrib, the key info is documented here: https://clojure.org/releases/download_key
Ha! I remember creating that key. laughcry
It's "version 2" because I accidentally uploaded the first one somewhere it could have been exposed. ๐
:)
One of the things I liked about switching from lein to boot (and then to deps.edn etc) was not having to deal with GPG any more ๐
My Clojars username is stuartsierra. I would like to replace that. Should I just create a new account?
I will continue to deploy new versions of existing projects under the groupId com.stuartsierra but I will start using a different groupId for new projects.
The easiest thing to do would be to create a new account, then add that new account to your existing groups as an admin. However, I can easily rename the old account if you prefer that. It would still have the net.clojars.stuartsierra and org.clojars.stuartsierra groups, but would gain (net|org).clojars.<new-name> as well.
That's what I was thinking I would do (new account added to old groups). Thanks!
My pleasure!