[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Whose keys go on elpa/gnupg/pubring.gpg?

From: Stefan Monnier
Subject: Re: Whose keys go on elpa/gnupg/pubring.gpg?
Date: Thu, 08 Jan 2015 09:20:21 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)

>>> In that case, where do individual package maintainers' keys go?
>> Nowhere: the signatures only certify that this is the file that was
>> created on elpa.gnu.org.
> That's only the case if elpa.gnu.org is the only repository whose key is on
> the keyring, since package-refresh-contents trusts any repository's key on
> the keyring to sign any other repository's archive-contents file. Again,
> technically not a vulnerability, but still not good.

That's right, except for one nitpick: the signatures themselves do
certify that this file was created on elpa.gnu.org.
It's only the package.el signature-checking which doesn't bother to
check that the signature is made with the repository's corresponding key.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]