Re: [leiningen] Deploying without signing
- Phil Hagelberg
- 2014-02-06 @ 22:37
Derek Brown writes:
> If I explicitly provide further args to deploy, no signing is done and
> the release goes ahead. For example:
> $ lein deploy releases com.foo/some-app-0.2.5
> Is it expected that the signing restriction is not in place when using
> the full version of the command?
Good question. The assumption is that the signing should be done by whoever
generated the jar. If you just downloaded a jar from the web or
something (especially if it contains bytecode) you probably shouldn't be
signing it since you probably have no way to verify it.
Granted there are exceptions; in those cases I'd recommend signing with
`gpg -ab myjar.jar` and just adding the .asc files to the list of files
to deploy. Perhaps we should have config or a task to make this easier,
but given that the gpg invocation is fairly simple I don't see it as a
Hope that makes sense.