[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#35414: 26.2; ELPA packages signed with second, unknown key

From: Stefan Monnier
Subject: bug#35414: 26.2; ELPA packages signed with second, unknown key
Date: Wed, 24 Apr 2019 18:36:29 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

> I see.  Sorry, I only searched the bugs list but not the diffs list!

No need to apologize: the new sigs appeared before the keyring
was distributed.

>> Hmm... I just tried with Debian's Emacs-25.1 and with a new build from
>> the `emacs-26` branch:
>>     emacs -Q --eval '(setq package-check-signature t)
>>     M-x package-list-packages RET
>>     M-x package-refresh-contents RET
>> and didn't get any error.
> I suppose it's worth asking (but apologies if I misunderstand what's
> happening under the hood): did you perform this test with an empty
> keyring (or just with what's available in Debian's Emacs-25.1
> installation)?

The keyring was not empty, but only had the 2014 key.

> I suspect that you already have the new public key in
> your keyring, so you wouldn't experience the problem.

I was also afraid of that, so I double checked.

>> It's a brand new key that is now in etc/package-keyring.gpg in the
>> `master` branch of Emacs, as well as in the `gnu-elpa-keyring-update`
>> package in GNU ELPA.
>> This is because the key 474F05837FBDEF9B is about to expire (it's
>> really high time we start preparing for the new key).
> OK, that should make things easy enough.

But I don't want for people to have to update their keyring already:
they'll need to do that some time before September, but updating your
keyring will just hide the problem you're seeing.

> Unfortunately, installing the package (after temporarily disabling sig
> verification) doesn't solve the problem for me.  Am I correct to assume
> that the package should "just work" after installing (and restarting
> Emacs)?

Yes, even without restarting Emacs.

> I looked at the ELPA git repo and saw that the keyring should be
> distributed in the etc subdirectory of the package.

Oh, duh, of course, the scripts decided to make a single-file package
out of it, so the keyring is missing.  I'll fix that.

> So, I guess the "bug" at this point is that it would appear that the
> keyring isn't properly installed with the keyring-update package.  I
> apologize for the original noise, since you obviously had already
> considered and worked on a fix for the underlying problem.

No, the bug is that the signature verification should not signal an
error before September 2019 even if you don't have the new key.

Could you remove the gnu-elpa-keyring-update package, and the 2019
key from your keyring and try and help us figure out why you get
those errors and I don't?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]