Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use gpg binary for signing and reading credentials from encrypted file #311

Merged
merged 2 commits into from
Nov 8, 2015
Merged

Use gpg binary for signing and reading credentials from encrypted file #311

merged 2 commits into from
Nov 8, 2015

Conversation

Deraen
Copy link
Contributor

@Deraen Deraen commented Oct 18, 2015

Copied the implementation from Leiningen.

  • Adds new :deploy-repositories env property. This is because it's
    probable that credentials between repositories differ for read and
    deploy.

Needs still some polishing.

@@ -59,13 +64,82 @@
:password password
:non-proxy-hosts (get-non-proxy-hosts)}))))

(defn ^{:boot/from :technomancy/leiningen} boot-home
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this available somewhere already? App is at least reading the env variable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once #317 is merged, boot.App/bootdir should probably be used.

@Deraen
Copy link
Contributor Author

Deraen commented Oct 18, 2015

This is alternative to #274

Btw. reading credentials a file or other sources could be provided as a separate library, but I think deploy repositories should be separated in any case.

@Deraen
Copy link
Contributor Author

Deraen commented Oct 18, 2015

Ah, I almost forgot. There's a reason why it would be preferred to have support for reading credentials from file in Boot itself. With a plugin the use would look something like:

(set-env! :dependencies '[[deraen/boot-contrib-gpg "0.1.0-SNAPSHOT"]])
(require '[deraen.boot-contrib-gpg :refer [set-repositories! push-gpg]])

(set-repositories! [["my.datomic.com" {:url "https://my.datomic.com/repo"
                                       :creds :gpg}]])

(set-env! :dependencies '[rest of dependencies, including stuff from private repos])

It's quite verbose because the plugin has to be added before adding other dependencies.

@Deraen
Copy link
Contributor Author

Deraen commented Oct 23, 2015

  • All existing options should be kept for compatibility
  • If password is provided for deploy task, the password should be used at least for signing
    • Could either pass the password to GPG binary or use current implementation?
    • Keeping current implementation could be useful for cases where GPG isn't available?
  • Reading repository credentials is a new feature but it should probably also work with existing GPG options?
  • Deploy repositories should be moved to deploy task options

@Deraen
Copy link
Contributor Author

Deraen commented Oct 23, 2015

Looks like it would be possible to extend Bouncy Castles PGP library with PassphraseLoader which would retrieve key from gpg-agent: https://github.com/kohsuke/pgp-maven-plugin/blob/master/src/main/java/org/kohsuke/maven/pgp/loaders/GpgAgentPassPhraseLoader.java

Would only work for Unix systems but Windows users could anyway use the task options.

@Deraen
Copy link
Contributor Author

Deraen commented Oct 24, 2015

This should now support all existing options, though gpg-keyring is deprecated.

@danielsz What was the use case for providing GPG options through environment variables in another PR? Should I implement that also, or is using gpg binary enough?

@danielsz
Copy link
Contributor

@Deraen Off the top of my head, the environment variables are redundant if gpg-agent is used, because it knows who the user is, what the signing key is, etc...
In the other PR, all this was "guessed", and the environment variables were meant to override the "guessing" when it was wrong. For example, when subkeys are used.

https://wiki.debian.org/Subkeys

@Deraen
Copy link
Contributor Author

Deraen commented Oct 27, 2015

Rebased and updated to use App/bootdir.

@Deraen
Copy link
Contributor Author

Deraen commented Oct 27, 2015

And squashed.

Copied the implementation from Leiningen.

- Deploy repository options can be set using push task option.
- Deprecate gpg-keyring option
Deraen added a commit that referenced this pull request Nov 8, 2015
Use gpg binary for signing and reading credentials from encrypted file
@Deraen Deraen merged commit c49e69c into boot-clj:master Nov 8, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants