librelist archives

« back to archive

Re: [leiningen] Deploying without signing

Re: [leiningen] Deploying without signing

Phil Hagelberg
2014-02-06 @ 22:37
Derek Brown writes:

> If I explicitly provide further args to deploy, no signing is done and
> the release goes ahead. For example:
> $ lein deploy releases 
target/provided/some-app-0.2.5.jar pom.xml
> Is it expected that the signing restriction is not in place when using
> the full version of the command?

Good question. The assumption is that the signing should be done by whoever
generated the jar. If you just downloaded a jar from the web or
something (especially if it contains bytecode) you probably shouldn't be
signing it since you probably have no way to verify it.

Granted there are exceptions; in those cases I'd recommend signing with
`gpg -ab myjar.jar` and just adding the .asc files to the list of files
to deploy. Perhaps we should have config or a task to make this easier,
but given that the gpg invocation is fairly simple I don't see it as a

Hope that makes sense.