Authenticate deployed artifacts

Description

clojure-tools artifacts are published unauthenticated, which is a security risk, especially for the linux install.

One simple approach would be to output a checksum file and sign the checksum file. I recommend not signing with openssl or pgp, and deferring to a simple tool like signify.

Environment

None

Activity

Show:
Jason Whitlark
November 6, 2018, 2:22 AM

I agree. It would be especially useful to publish it on https://clojure.org/guides/getting_started

The tarball that's downloaded as the base for the script also does not authenticate its source.

Assignee

Alex Miller

Reporter

Ghadi Shayban

Labels

Approval

None

Patch

None

Priority

Major