Re: [PATCH] package.el: check tarball signature

[Ted Zlatanov]

On Fri, 04 Oct 2013 11:46:30 +0900 Daiki Ueno <address@hidden> wrote: 

DU> Ted Zlatanov <address@hidden> writes:
>> Just one code comment:
>> 
>> +(defcustom package-check-signature 'allow-unsigned
>> +  "Whether to check package signatures when installing."
>> +  :type '(choice (const nil :tag "Never")
>> +                (const allow-unsigned :tag "Allow unsigned")
>> +                (const t :tag "Check always"))
>> +  :risky t
>> +  :group 'package
>> +  :version "24.1")
>> 
>> IMHO this should be per archive, not global.  WDYT?

DU> Yes, actually I was in doubt how to support that.  Given that most of
DU> the archives will be eventually signed (as Stefan pointed[1]), I'm now
DU> thinking of:

DU> * remove the package-check-signature option, and

DU> * even if an archive is listed in package-unsigned-archives, check
DU>   signature if .sig file is provided (ignoring verification error)

DU> How does this sound?  Here is a patch in this direction.

I think it's a good direction.  Maybe archives should have trust levels
that the user can provide when adding them, instead of managing
`package-{signed,unsigned}-archives' as external lists:

- signed (always check for .sig and verify it)
- optionally signed (always check for .sig but allow it may not exist)
- not signed (never check for .sig, avoiding extra network requests)

The default trust level would be "signed."  Does that work?

The user may also want a keyring per archive, if that could be a
property.  I would want it.  But it may be expensive to implement.

Ted