Verify tools deps/lein dependency gpg signatures via allow-list
Uses https://github.com/liquidz/antq for much of file/artifact wrangling, but also supports using environment based repo credentials from project.clj
Add the following to your deps.edn:
:gpg-verify {:exec-fn org.kipz.gpg-verify.clojure/gpg-verify
:exec-args {:verify [mycommany/internal-cljj]}
:extra-deps {org.kipz/clj-gpg-verify {:mvn/version "0.1.2"}}}
Put [org.kipz/clj-gpg-verify "0.1.2"]
into the :plugins
vector of your :user
profile or in the :plugins
of your poject.clj:
Add a list of dependencies to verify to your project.clj:
:gpg-verify {:deps [mycommany/internal-clj]}
Then run:
$ lein gpg-verify
Copyright © 2021 James Carnegie
This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which is available at http://www.eclipse.org/legal/epl-2.0.
This Source Code may also be made available under the following Secondary Licenses when the conditions for such availability set forth in the Eclipse Public License, v. 2.0 are satisfied: GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version, with the GNU Classpath Exception which is available at https://www.gnu.org/software/classpath/license.html.