[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ELPA security
From: |
Stefan Monnier |
Subject: |
Re: ELPA security |
Date: |
Sun, 23 Jun 2013 12:41:32 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) |
TZ> etc/elpa/ARCHIVE-NAME can contain the actual armored GPG signature but
TZ> it can also have more metadata about the archive. So the format could
TZ> be:
TZ> url=ARCHIVE-URL
TZ> other-metadata=whatever
TZ> then-a-new-line=ends metadata
TZ> SIGNATURE
TZ> and if SIGNATURE is missing, the archive is not signed.
Hmm... I'm not sure I understand the issues here. IIUC Debian
uses a GPG keyring. What's the difference?Also, you talk about the
signature here, whereas I think "an archive has a key, each package has
a signature".
> For now I'm using the old format. Archives are signed by default as
> requested. I've rebased the patch against the changes to package.el.
I think the list of signed/unsigned archives should be managed
dynamically/automatically: if a signature is missing, ask the user if
she thinks it's normal, and if so, place the archive into a list of
"unsigned archives", so the question is not repeated. But every time we
access the archive, we still try to get the a signature. If we do find
a signature, then remove the archive from the "unsigned archives" list.
> Finally, for easier testing I think we should put a fake archive with 1
> package in test/elpa/packages.
Sure.
> I didn't do it because Stefan mentioned Daniel Hackney's changes
> included some testing code and I didn't want to confuse matters.
You could install Daniel's tests before adding your own.
TZ> Using EPG functions, however, I could not figure out how to verify with
TZ> an external public GPG key. I don't see that option with any of the
TZ> context functions. Perhaps someone knows? Without that option, the
TZ> user has to explicitly load the maintainer's public GPG key, which is
TZ> very impractical around package.el.
> I need to know the above to make the patch usable, so I won't commit for
> now.
I don't understand the question, sadly.
> Also the signature has to be named .gpgsig because the extension .gpg
> (the default) makes EPA/EPG attempt to decrypt it.
".gpgsig" is fine, as is ".sig". Are you talking about the packages's
signatures, or about some ~/.emacs.d/elpa/archive/key.gpgsig?
Stefan
- Re: ELPA security, (continued)
- Re: ELPA security, Ted Zlatanov, 2013/06/17
- Re: ELPA security, Ted Zlatanov, 2013/06/19
- Re: ELPA security, Stefan Monnier, 2013/06/19
- Re: ELPA security, Ted Zlatanov, 2013/06/23
- Re: ELPA security,
Stefan Monnier <=
- Re: ELPA security, Ted Zlatanov, 2013/06/28
- Re: ELPA security, Nic Ferrier, 2013/06/28
- Re: ELPA security, Stefan Monnier, 2013/06/28
- Re: ELPA security, Daiki Ueno, 2013/06/23
- Re: ELPA security, Ted Zlatanov, 2013/06/28
- Re: ELPA security, Daiki Ueno, 2013/06/28