[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Whose keys go on elpa/gnupg/pubring.gpg?

From: Kelly Dean
Subject: Whose keys go on elpa/gnupg/pubring.gpg?
Date: Thu, 08 Jan 2015 03:36:40 +0000

Just the package repositories' keys (elpa, melpa, marmalade)?

In that case, where do individual package maintainers' keys go?

Or is the package manager only intended to support verification of the 
repositories' signatures, but not package maintainers' signatures?

If package maintainers' keys are supposed to go on that keyring, then 
package-refresh-contents gives no assurance that the repository's key signed 
the archive-contents file; it only assures that some random package maintainer 
(any whose key is on the keyring) decided to sign the file, perhaps after 
inserting some of his own goodies. Needless to say, this makes pranks a little 
too easy.

If the keyring is supposed to contain only keys of people the user trusts to 
run code, then technically this isn't a vulnerability, but it still isn't the 
right thing to do. Emacs should record which key is for which repository, and 
only accept signatures made by the right key.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]