librelist archives

« back to archive

Re: [leiningen] Deploying without signing

Re: [leiningen] Deploying without signing

From:
Phil Hagelberg
Date:
2014-02-06 @ 22:37
Derek Brown writes:

> If I explicitly provide further args to deploy, no signing is done and
> the release goes ahead. For example:
>
> $ lein deploy releases com.foo/some-app-0.2.5 
target/provided/some-app-0.2.5.jar pom.xml
>
> Is it expected that the signing restriction is not in place when using
> the full version of the command?

Good question. The assumption is that the signing should be done by whoever
generated the jar. If you just downloaded a jar from the web or
something (especially if it contains bytecode) you probably shouldn't be
signing it since you probably have no way to verify it.

Granted there are exceptions; in those cases I'd recommend signing with
`gpg -ab myjar.jar` and just adding the .asc files to the list of files
to deploy. Perhaps we should have config or a task to make this easier,
but given that the gpg invocation is fairly simple I don't see it as a
priority.

Hope that makes sense.

-Phil