morning

Morning

Wow, I think I spent the better part of a lot of time trying to make lein sign stuff before deploying to clojars.

Seems like I finally managed.

Basically followed this guide here https://joemiller.me/2019/07/signing-releases-with-a-gpg-project-key/ but the last hurdle to present itself was managing to create a key that was not passphrase protected.

I’m sure @dominicm will mock me till the end of time for having keys without passphrases, but that’s the only way I could think of getting this to work in Circle.

And the solution to the problem? Create a key with a passphrase, then run

gpg --pinentry-mode loopback --passwd $KEYID

There's a threat model here. But the barrier of compromising circle is a somewhat fair one, but one that seems like it might have risks associated.

@slipset almost nobody signs releases on clojars.

https://quanttype.net/posts/2020-07-26-signing-jars-is-worthless.html

@borkdude I know. But I couldn’t let my self not sign jars if one of the reasons was that I simply couldn’t make it happen :)

Now that I’ve achieved it, I feel free to skip it.

lol

good morning btw!

My main goal was to move artefact building and deployments off my computer and onto circle.

The most obvious reason is that we then all know what was built, but the other reason is Clojure libs with java sources. I think ( happy to be proven wrong) that they should be compiled with 1.8 class generation if they are to be as backwards compatible as Clojure.

Morning

This is fairly easy on Circle, but too much pain on my machine.

And, good morning :)