Fork me on GitHub
#clojure-europe
<
2020-12-27
>
slipset17:12:16

Wow, I think I spent the better part of a lot of time trying to make lein sign stuff before deploying to clojars.

slipset17:12:34

Seems like I finally managed.

slipset17:12:31

Basically followed this guide here https://joemiller.me/2019/07/signing-releases-with-a-gpg-project-key/ but the last hurdle to present itself was managing to create a key that was not passphrase protected.

slipset17:12:11

I’m sure @dominicm will mock me till the end of time for having keys without passphrases, but that’s the only way I could think of getting this to work in Circle.

slipset17:12:01

And the solution to the problem? Create a key with a passphrase, then run

gpg --pinentry-mode loopback --passwd $KEYID

dominicm18:12:20

There's a threat model here. But the barrier of compromising circle is a somewhat fair one, but one that seems like it might have risks associated.

borkdude18:12:50

@slipset almost nobody signs releases on clojars.

slipset18:12:59

@borkdude I know. But I couldn’t let my self not sign jars if one of the reasons was that I simply couldn’t make it happen :)

slipset18:12:21

Now that I’ve achieved it, I feel free to skip it.

borkdude18:12:02

good morning btw!

slipset18:12:13

My main goal was to move artefact building and deployments off my computer and onto circle.

slipset18:12:49

The most obvious reason is that we then all know what was built, but the other reason is Clojure libs with java sources. I think ( happy to be proven wrong) that they should be compiled with 1.8 class generation if they are to be as backwards compatible as Clojure.

slipset18:12:19

This is fairly easy on Circle, but too much pain on my machine.

slipset18:12:54

And, good morning :)

😂 3