[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

From: Ted Zlatanov
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Mon, 29 Sep 2014 20:33:38 -0400
User-agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/25.0.50 (gnu/linux)

On Wed, 24 Sep 2014 11:05:31 -0400 Stefan Monnier <address@hidden> wrote: 

>> Do you have a plan to start signing GNU ELPA packages so this can get
>> tested in a real network setup?

SM> GNU ELPA is now signed,

Thank you for working on this!

The docs should be updated:

@c Uncomment this if it becomes true.
The public key for the GNU package archive is distributed with Emacs,
in the @file{etc/package-keyring.gpg}.  Emacs uses it automatically.
@end ignore

The ELPA maintainer public key .gpg file is needed. Right now I can't
find it so I can't actually verify any packages. Am I missing something?

Are there docs on the signing process? I don't see anything in the ELPA
repository under admin.

>From the code it seems the EPG glue written by Daiki Ueno expects the
keyring to live in `(expand-file-name "gnupg" package-user-dir)` which
implies we have to provide a way, on startup, to populate that keyring
if it's missing. I don't see any docs or functions to do that. It's not
terribly complicated, just `gpg --homedir DIRNAME --import KEY` but it
would be convenient for users if we provide a wrapper.

IMHO any archives that are signed but not the GNU ELPA should be able to
use this wrapper.  I hope you agree, it's just a matter of avoiding
hard-coding too much.

I also think that we should set `package-check-signature` aggressively
if we can verify a basic signature verification.  So maybe that wrapper
above can finish with a test run of GnuPG to ensure it will DTRT, and if
so, offer to customize and save `package-check-signature`.  I can
atttempt all of the above... do you agree with the workflow?

I am attaching a small patch to provide a "Verify" button in the package
description, so the user doesn't have to try install the package to find
out if it's signed.  If you agree, I can commit it.


Attachment: package-verify-button.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]