Signing with SSH
7 views
Skip to first unread message
Phil Hagelberg
Nov 26, 2022, 7:46:45 AM11/26/22
to clojars-maintainers
After some discussion about dependency confusion attacks, I've been
rethinking the way that Leiningen handles signing artifacts. At the time
this was added to Leiningen, GPG was pretty much the only viable option
for this kind of feature, so naturally we built out the best we could
using that.
However, despite making it a part of the default deploy process, uptake
was always very lukewarm. I attribute this two a combination of factors,
but the main one is the poor usability of GPG.
Recently SSH has added the ability to sign and verify files using your
existing SSH key. I think this could have a lot better chance of uptake
given that nearly every developer already has an SSH keypair, and nearly
every git host makes these easy to access:
https://github.com/technomancy.keys
https://gitlab.com/technomancy.keys
https://codeberg.org/technomancy.keys
https://meta.sr.ht/~technomancy.keys
So I've begun to add support in Leiningen for signing using SSH keys
upon deploying:
https://codeberg.org/leiningen/leiningen/commit/b633871f6ff8d22b63a05774dbeee125bbba925b (implementation)
https://codeberg.org/leiningen/leiningen/commit/8cb076dde5d76ac415ee32a04daef19cefd5830a (documentation)
I wonder if this would be of interest to others working in this space.
Happy to hear your comments or feedback.
-Phil
rethinking the way that Leiningen handles signing artifacts. At the time
this was added to Leiningen, GPG was pretty much the only viable option
for this kind of feature, so naturally we built out the best we could
using that.
However, despite making it a part of the default deploy process, uptake
was always very lukewarm. I attribute this two a combination of factors,
but the main one is the poor usability of GPG.
Recently SSH has added the ability to sign and verify files using your
existing SSH key. I think this could have a lot better chance of uptake
given that nearly every developer already has an SSH keypair, and nearly
every git host makes these easy to access:
https://github.com/technomancy.keys
https://gitlab.com/technomancy.keys
https://codeberg.org/technomancy.keys
https://meta.sr.ht/~technomancy.keys
So I've begun to add support in Leiningen for signing using SSH keys
upon deploying:
https://codeberg.org/leiningen/leiningen/commit/b633871f6ff8d22b63a05774dbeee125bbba925b (implementation)
https://codeberg.org/leiningen/leiningen/commit/8cb076dde5d76ac415ee32a04daef19cefd5830a (documentation)
I wonder if this would be of interest to others working in this space.
Happy to hear your comments or feedback.
-Phil
Reply all
Reply to author
Forward
0 new messages