[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

From: Ted Zlatanov
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Tue, 30 Sep 2014 07:02:51 -0400
User-agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/25.0.50 (gnu/linux)

On Mon, 29 Sep 2014 23:55:00 -0400 Stefan Monnier <address@hidden> wrote: 

>> @c Uncomment this if it becomes true.
>> @ignore
>> The public key for the GNU package archive is distributed with Emacs,
>> in the @file{etc/package-keyring.gpg}.  Emacs uses it automatically.
>> @end ignore
>> The ELPA maintainer public key .gpg file is needed. Right now I can't
>> find it so I can't actually verify any packages. Am I missing something?

SM> It's in the file described in the (commented out) doc you cited above.
SM> You are tracking emacs-24 to help us with the pretest, right?

I am, but looked in the trunk for this file. I didn't expect you'd put
the keyring only in the emacs-24 branch.  Why keep it out of trunk?
Users there won't know to look in emacs-24.

>> Are there docs on the signing process? I don't see anything in the ELPA
>> repository under admin.

>> I also think that we should set `package-check-signature` aggressively
>> if we can verify a basic signature verification.

SM> For now my main concern is to make sure GNU ELPA can still be accessed
SM> by users of 24.4, and that they *can* check the signature if they so wish.

It can, but they can't verify the signature as a separate operation.
They have to attempt an install.  That's why I suggested the "Verify" button.

The whole thing is hard to set up for a new user, so we need docs on
that, especially covering the initial import and a small GnuPG primer so
the user understands what's going on.  Would you like me to write them?

>> I am attaching a small patch to provide a "Verify" button in the package
>> description, so the user doesn't have to try install the package to find
>> out if it's signed.  If you agree, I can commit it.

SM> I can't imagine why a user would want to check if a package is signed.
SM> All GNU ELPA packages are signed, and I hope that soon all ELPA packages
SM> will be signed.

Verifying the signature is currently only possible as part of the
installation. Yet the verification on installation can only be
controlled with a single variable, which lets you either check all, or
allow installing unsigned packages.

I'm trying to cover the case where the users wants to allow installing
unsigned packages, but still wants to verify an individual package's
signature beforehand.  As the number of package archives grows, I think
that will be useful.

It's also convenient for testing whether the user has imported the
maintainers' key correctly and whether their GnuPG setup is operational.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]