This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2020-12-27
Channels
- # adventofcode (7)
- # announcements (31)
- # babashka (15)
- # beginners (14)
- # calva (45)
- # circleci (6)
- # clojure (27)
- # clojure-europe (19)
- # clojure-france (2)
- # clojure-gamedev (4)
- # clojure-uk (2)
- # clojurescript (26)
- # conjure (14)
- # data-science (6)
- # deps-new (7)
- # depstar (4)
- # emacs (13)
- # events (1)
- # fulcro (20)
- # graalvm (2)
- # hoplon (30)
- # joker (11)
- # london-clojurians (1)
- # malli (26)
- # pathom (2)
- # re-frame (13)
- # reagent (8)
- # reclojure (3)
- # reveal (8)
- # robots (4)
- # shadow-cljs (29)
- # sql (5)
- # tools-deps (28)
- # vim (4)
Wow, I think I spent the better part of a lot of time trying to make lein sign stuff before deploying to clojars.
Basically followed this guide here https://joemiller.me/2019/07/signing-releases-with-a-gpg-project-key/ but the last hurdle to present itself was managing to create a key that was not passphrase protected.
I’m sure @dominicm will mock me till the end of time for having keys without passphrases, but that’s the only way I could think of getting this to work in Circle.
And the solution to the problem? Create a key with a passphrase, then run
gpg --pinentry-mode loopback --passwd $KEYID
There's a threat model here. But the barrier of compromising circle is a somewhat fair one, but one that seems like it might have risks associated.
@borkdude I know. But I couldn’t let my self not sign jars if one of the reasons was that I simply couldn’t make it happen :)
My main goal was to move artefact building and deployments off my computer and onto circle.