clojars

Lambda/Sierra 2025-10-26T16:36:05.167609Z

How much do GPG signatures matter on Clojars artifacts? ๐Ÿงต

Lambda/Sierra 2025-10-26T16:36:34.147019Z

As I was preparing the https://clojurians.slack.com/archives/C0GQAAKA9/p1761409069083369?thread_ts=1760809134.202389&cid=C0GQAAKA9, I realized I had lost the GPG key I signed with in the past.

Lambda/Sierra 2025-10-26T16:37:34.228119Z

lein deploy clojars defaulted to a different GPG keypair. But I have never shared the public key of that pair.

Lambda/Sierra 2025-10-26T16:40:00.073319Z

So the release artifacts are signed, but with a key that no one can verify.

Lambda/Sierra 2025-10-26T16:40:40.481039Z

Which got me thinking: Does anyone actually verify GPG signatures on release artifacts?

Lambda/Sierra 2025-10-26T16:41:20.607719Z

and if I wanted to verify signatures, where would I find the public keys?

Alex Miller (Clojure team) 2025-10-26T16:44:59.882059Z

No, no one verifies signatures

Alex Miller (Clojure team) 2025-10-26T16:45:57.760059Z

And one of the main reasons is that finding the public keys is a) a treasure hunt of public key servers and b) how do you know if thatโ€™s the key to trust?

Alex Miller (Clojure team) 2025-10-26T16:47:24.678039Z

For Clojure core and contrib, the key info is documented here: https://clojure.org/releases/download_key

Lambda/Sierra 2025-10-26T16:48:50.861439Z

Ha! I remember creating that key. laughcry

Lambda/Sierra 2025-10-26T16:50:22.687109Z

It's "version 2" because I accidentally uploaded the first one somewhere it could have been exposed. ๐Ÿ˜…

Alex Miller (Clojure team) 2025-10-26T16:51:25.387359Z

:)

seancorfield 2025-10-26T19:32:12.273139Z

One of the things I liked about switching from lein to boot (and then to deps.edn etc) was not having to deal with GPG any more ๐Ÿ™‚

Lambda/Sierra 2025-10-26T17:26:33.671199Z

My Clojars username is stuartsierra. I would like to replace that. Should I just create a new account?

Lambda/Sierra 2025-10-26T17:27:15.532899Z

I will continue to deploy new versions of existing projects under the groupId com.stuartsierra but I will start using a different groupId for new projects.

2025-10-26T22:47:03.276469Z

The easiest thing to do would be to create a new account, then add that new account to your existing groups as an admin. However, I can easily rename the old account if you prefer that. It would still have the net.clojars.stuartsierra and org.clojars.stuartsierra groups, but would gain (net|org).clojars.<new-name> as well.

Lambda/Sierra 2025-10-27T00:02:28.433879Z

That's what I was thinking I would do (new account added to old groups). Thanks!

2025-10-27T00:36:45.352389Z

My pleasure!