search

clojars / clojars-web

A community repository for open-source Clojure libraries
https://clojars.org
Eclipse Public License 1.0
468 stars 114 forks source link

Support for SSH signatures #863

Closed valpackett closed 1 year ago

valpackett commented 1 year ago

leiningen 2.10.0 has introduced support for making SSH signatures instead of PGP ones, however trying to deploy to clojars when using them results in 400 errors:

Sending clj-http-fake/clj-http-fake/1.0.4/clj-http-fake-1.0.4.jar.sig (1k)
    to https://repo.clojars.org/
Could not transfer artifact clj-http-fake:clj-http-fake:jar.sig:1.0.4 from/to clojars (https://repo.clojars.org/): transfer failed for https://repo.clojars.org/clj-http-fake/clj-http-fake/1.0.4/clj-http-fake-1.0.4.jar.sig, status: 400 Bad Request

So evidently some work is required to support these…

tobias commented 1 year ago

Interesting! It looks like 2.10.0 was released in December, so I'm surprised we haven't had this reported before now.

The primary issue here is the repo route doesn't support .sig files: https://github.com/clojars/clojars-web/blob/main/src/clojars/routes/repo.clj#L516

They may also need to be exlcuded from checksum validation here: https://github.com/clojars/clojars-web/blob/main/src/clojars/routes/repo.clj#L265

And this function should probably be extended to check for them in addition to .asc files: https://github.com/clojars/clojars-web/blob/main/src/clojars/routes/repo.clj#L276

I'd be happy to accept a PR for this; it may be a bit before I can get to it myself.

tobias commented 1 year ago

SSH signing support has been implemented and released.