Using GPG with lein deploy
I used gpg2 --gen-key
to create a key. I chose 4096-bit RSA with a
27 month expiration. (I plan to renew my key every 2 years, with a 3
month grace period.) For the comment field I used "software signing".
Now I can see it in my key list:
gpg2 --list-keys McCormack
pub 4096R/00D85767 2013-01-21 [expires: 2015-04-11]
uid Tim McCormack (software signing) <cortex@brainonfire.net>
For ease of use, you'll probably want gpg-agent running so that you don't
have to enter your passphrase every single time. In my case, I have
eval $(gpg-agent --daemon)
in my ~/.bash_profile file.
Let's start using GPG.
Whereas lein push
used an SSH key to authenticate with Clojars, lein deploy
asks for a username and password (allowing access to a wider range of
repositories.) Instead of asking for your credentials every time, Leiningen
supports reading them from an encrypted file on disk.
To minimize the chances of my credentials hitting the disk unencrypted at any point, I composed the contents in a text editor:
{#"^https://clojars\.org/.*"
{:username "timmc" :password "totally my actual passw0rd"}}
Then I ran this:
gpg2 --encrypt --armor --recipient 00D85767 > .lein/credentials.clj.gpg
...and pasted the contents into the terminal, hitting C-d to finish.
(If you already have a key for personal use, you might consider using that instead for encrypting the deployment credentials, for defense-in-depth.)
Set up your user profile in ~/.lein/profiles.clj to specify how your Clojars credentials are to be retrieved:
{:user {:repositories [["clojars" {:creds :gpg}]]}}
By signing your releases, you can help ensure a safer ecosystem. We don't yet (2013-03-17) have the tooling to automatically check signatures on dependencies against a keyring, but that tooling won't be useful until people start signing. So let's do that!
First, I tell Clojars my public key so that my signed jars are eligible for promotion. I pasted the output of this command into the PGP public key field in Clojars:
gpg -a --export 0x00D85767
Next, I specify my signing key in my user profile:
{:user {:repositories [["clojars" {:creds :gpg}]]
;; This can also be specified per-repository
:signing {:gpg-key "0x00D85767"}}}
Finally, time to deploy:
lein deploy clojars
How can I paste my public key to clojars? (Can't find the page...)