Fork me on GitHub
#perun
<
2016-01-18
>
juhoteperi00:01:20

And I think it would make sense to keep built-in tasks to minimum and provide this kind of tasks as separate packages.

podviaznikov00:01:37

I remember @micha was talking at some point about using either contentful or https://prismic.io/ with perun

podviaznikov00:01:33

@juhoteperi: so I have

(import java.io.File)

(configure-repositories!
 (fn [m]
   (merge m (some (fn [[regex cred]] (if (re-find regex (:url m)) cred))
                  (gpg-decrypt
                   (
                    (System/getProperty "user.home") ".lein/credentials.clj.gpg")
                   :as :edn)))))
in my profile.boot. Now when I run boot I get
java.lang.AssertionError: Assert failed: gpg: no valid OpenPGP data found.
                            gpg: decrypt_message failed: Unknown system error

                            (zero? exit)
                 boot.gpg/decrypt                          gpg.clj:   73
            boot.core/gpg-decrypt                         core.clj:  937

podviaznikov00:01:39

have you seen that before?

juhoteperi00:01:21

Something with your gpg setup

juhoteperi00:01:39

Have you tried running gpg --decrypt ~/.lein/credentials.clj.gpg?

podviaznikov00:01:30

same problem. I see it’s not encrypted

juhoteperi00:01:36

gpg --default-recipient-self --encrypt ~/.lein/credentials.clj > ~/.lein/credentials.clj.gpg

juhoteperi00:01:08

Also, at least vim and emacs have plugins for editing encrypted files transparently

podviaznikov00:01:05

I think I just encrypted that boot/credentials.gpg file (decrypt worker) and followed instructions on the boot wiki

podviaznikov00:01:41

I pushed jar but I’m not 100% it was signed

podviaznikov00:01:46

how to check that?

juhoteperi00:01:15

by running boot show -v in project that uses perun

juhoteperi00:01:23

or no... what was the command...

juhoteperi00:01:06

oh right it's only on 2.6.0-SNAPSHOT

juhoteperi00:01:16

-v or --verify-deps

juhoteperi00:01:49

It shows as signed

juhoteperi00:01:56

❯ keybase pgp verify -i perun-0.3.0.jar -d perun-0.3.0.jar.asc
:arrow_forward: ERROR openpgp: signature made by unknown entity

podviaznikov00:01:17

yes, it’s signed

juhoteperi00:01:20

Doesn't look like you signed it with the key you have on keybase?

podviaznikov00:01:55

should I have used that one?

juhoteperi00:01:29

Well in general you should use a key which other people trust

podviaznikov00:01:50

That makes sense

juhoteperi00:01:02

Signature doesn't help anything if I don't know whose key it has been made with simple_smile

podviaznikov00:01:10

agree. Need to read how to use that key

juhoteperi00:01:14

But doesn't matter too much now, not too many people currently try to verify packages and the tooling is quite bad

podviaznikov00:01:38

and there is no way to unpublish from clojars as far as I remember, right?

juhoteperi00:01:11

But no need for that now

juhoteperi00:01:32

There is currently no tooling to check if the signatures are made by trusted party

podviaznikov00:01:28

yeah, I saw bites of discussion yesterday about it in the #C053K90BR channel

podviaznikov00:01:36

@juhoteperi: there is original flag already (https://github.com/hashobject/perun/blob/master/src/io/perun/markdown.clj#L68). So you can use that for filtering too

podviaznikov00:01:46

@pesterhazy did you build something with perun yet or just trying?

pesterhazy08:01:58

@podviaznikov: I'm building a blog, but it's taking me way too long. I'm slowed down by the content/styling part, not perun itself though

pesterhazy08:01:35

I actually used @martinklepsch's blog repo as a base, which worked well for me