[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

From: Stefan Monnier
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Mon, 29 Sep 2014 23:55:00 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux)

> @c Uncomment this if it becomes true.
> @ignore
> The public key for the GNU package archive is distributed with Emacs,
> in the @file{etc/package-keyring.gpg}.  Emacs uses it automatically.
> @end ignore
> The ELPA maintainer public key .gpg file is needed. Right now I can't
> find it so I can't actually verify any packages. Am I missing something?

It's in the file described in the (commented out) doc you cited above.
You are tracking emacs-24 to help us with the pretest, right?

> Are there docs on the signing process? I don't see anything in the ELPA
> repository under admin.

No, indeed, it's not there, because the signing is done completely
separately (to hopefully try and keep the private key a bit more
private).  But it's a really simple makefile that looks for *.tar, *.el,
and archive-contents and runs "gpg --detach-sign $<" on them.

> I also think that we should set `package-check-signature` aggressively
> if we can verify a basic signature verification.

For now my main concern is to make sure GNU ELPA can still be accessed
by users of 24.4, and that they *can* check the signature if they so wish.

> I am attaching a small patch to provide a "Verify" button in the package
> description, so the user doesn't have to try install the package to find
> out if it's signed.  If you agree, I can commit it.

I can't imagine why a user would want to check if a package is signed.
All GNU ELPA packages are signed, and I hope that soon all ELPA packages
will be signed.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]