Authenticate deployed artifacts
Description
Environment
None
Activity
Alex Miller June 25, 2021 at 8:34 PM
Alex Miller
June 25, 2021 at 8:34 PM
The linux script and tar.gz is downloaded via https (and have been as long as I can remember).
It would be useful to provide checksum or signature, but moving this to backlog for now.
Jason Whitlark November 6, 2018 at 2:22 AM
Jason Whitlark
November 6, 2018 at 2:22 AM
I agree. It would be especially useful to publish it on https://clojure.org/guides/getting_started
The tarball that's downloaded as the base for the script also does not authenticate its source.
clojure-tools artifacts are published unauthenticated, which is a security risk, especially for the linux install.
One simple approach would be to output a checksum file and sign the checksum file. I recommend not signing with openssl or pgp, and deferring to a simple tool like signify.