[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] package.el: check tarball signature

From: Daiki Ueno
Subject: [PATCH] package.el: check tarball signature
Date: Mon, 30 Sep 2013 15:48:16 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux)

Well, I still don't understand why this is advertised as such a
difficult problem, particularly why package.el would need sign operation
with Emacs.  Am I missing something?

Perhaps it might make sense to discuss with some code.  Here it is.

The code verifies a detached signature NAME-VERSION.tar.sig with a
trusted keyring located under ~/.emacs.d/elpa/gnupg/.  That's it.

For uploading packages, we could simply use the same mechanism as
gnupload in Gnulib.

It's actually a 10-minute work at an airport lobby and tested only with
the local package archive.

=== modified file 'lisp/emacs-lisp/package.el'
--- lisp/emacs-lisp/package.el  2013-08-03 02:34:22 +0000
+++ lisp/emacs-lisp/package.el  2013-09-30 16:50:40 +0000
@@ -739,13 +739,44 @@
       (error "Error during download request:%s"
             (buffer-substring-no-properties (point) (line-end-position))))))
+(declare-function epg-make-context "epg"
+                 (&optional protocol armor textmode include-certs
+                            cipher-algorithm
+                            digest-algorithm
+                            compress-algorithm))
+(declare-function epg-context-set-home-directory "epg" (context directory))
+(declare-function epg-verify-file "epg" (context signature
+                                                &optional signed-text plain))
+(defun package--check-signature (pkg-desc)
+  "Check signature of a package.
+GnuPG keyring is located under \"gnupg\" in `package-user-dir'."
+  (let* ((location (package-archive-base pkg-desc))
+        (sig-file (concat (package-desc-full-name pkg-desc)
+                          (package-desc-suffix pkg-desc)
+                          ".sig"))
+        (signature (package--with-work-buffer location sig-file
+                     (buffer-string)))
+        (context (epg-make-context 'OpenPGP)))
+    (epg-context-set-home-directory context
+                                   (expand-file-name "gnupg" package-user-dir))
+    (epg-verify-file context signature (buffer-string))))
 (defun package-install-from-archive (pkg-desc)
   "Download and install a tar package."
   (let ((location (package-archive-base pkg-desc))
        (file (concat (package-desc-full-name pkg-desc)
                       (package-desc-suffix pkg-desc))))
     (package--with-work-buffer location file
-      (package-unpack pkg-desc))))
+      (if (condition-case nil
+             (progn
+               (package--check-signature pkg-desc)
+               t)
+           (error (y-or-n-p
+                   (format "Cannot verify signature of `%s'; \
+install it anyway? "
+                           (package-desc-name pkg-desc)))))
+         (package-unpack pkg-desc)))))
 (defvar package--initialized nil)

Daiki Ueno

reply via email to

[Prev in Thread] Current Thread [Next in Thread]