Skip to content

Instantly share code, notes, and snippets.

@timmc

timmc/gist:5180134

Last active December 16, 2016 00:12
Show Gist options
  • Save timmc/5180134 to your computer and use it in GitHub Desktop.
Save timmc/5180134 to your computer and use it in GitHub Desktop.
Download ZIP
Deployment example in Leiningen
Raw
gistfile1.md

Using GPG with lein deploy

First, a keypair

I used gpg2 --gen-key to create a key. I chose 4096-bit RSA with a 27 month expiration. (I plan to renew my key every 2 years, with a 3 month grace period.) For the comment field I used "software signing".

Now I can see it in my key list:

gpg2 --list-keys McCormack

pub   4096R/00D85767 2013-01-21 [expires: 2015-04-11]
uid                  Tim McCormack (software signing) <cortex@brainonfire.net>

For ease of use, you'll probably want gpg-agent running so that you don't have to enter your passphrase every single time. In my case, I have eval $(gpg-agent --daemon) in my ~/.bash_profile file.

Let's start using GPG.

Deployment credentials

Whereas lein push used an SSH key to authenticate with Clojars, lein deploy asks for a username and password (allowing access to a wider range of repositories.) Instead of asking for your credentials every time, Leiningen supports reading them from an encrypted file on disk.

To minimize the chances of my credentials hitting the disk unencrypted at any point, I composed the contents in a text editor:

{#"^https://clojars\.org/.*"
 {:username "timmc" :password "totally my actual passw0rd"}}

Then I ran this:

gpg2 --encrypt --armor --recipient 00D85767 > .lein/credentials.clj.gpg

...and pasted the contents into the terminal, hitting C-d to finish.

(If you already have a key for personal use, you might consider using that instead for encrypting the deployment credentials, for defense-in-depth.)

Set up your user profile in ~/.lein/profiles.clj to specify how your Clojars credentials are to be retrieved:

{:user {:repositories [["clojars" {:creds :gpg}]]}}

Signing

By signing your releases, you can help ensure a safer ecosystem. We don't yet (2013-03-17) have the tooling to automatically check signatures on dependencies against a keyring, but that tooling won't be useful until people start signing. So let's do that!

First, I tell Clojars my public key so that my signed jars are eligible for promotion. I pasted the output of this command into the PGP public key field in Clojars:

gpg -a --export 0x00D85767

Next, I specify my signing key in my user profile:

{:user {:repositories [["clojars" {:creds :gpg}]]
        ;; This can also be specified per-repository
        :signing {:gpg-key "0x00D85767"}}}

Deploy!

Finally, time to deploy:

lein deploy clojars

@iku000888
Copy link

How can I paste my public key to clojars? (Can't find the page...)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment