On Wed, 24 Sep 2014 11:05:31 -0400 Stefan Monnier wrote: >> Do you have a plan to start signing GNU ELPA packages so this can get >> tested in a real network setup? SM> GNU ELPA is now signed, Thank you for working on this! The docs should be updated: @c Uncomment this if it becomes true. @ignore The public key for the GNU package archive is distributed with Emacs, in the @file{etc/package-keyring.gpg}. Emacs uses it automatically. @end ignore The ELPA maintainer public key .gpg file is needed. Right now I can't find it so I can't actually verify any packages. Am I missing something? Are there docs on the signing process? I don't see anything in the ELPA repository under admin. From the code it seems the EPG glue written by Daiki Ueno expects the keyring to live in `(expand-file-name "gnupg" package-user-dir)` which implies we have to provide a way, on startup, to populate that keyring if it's missing. I don't see any docs or functions to do that. It's not terribly complicated, just `gpg --homedir DIRNAME --import KEY` but it would be convenient for users if we provide a wrapper. IMHO any archives that are signed but not the GNU ELPA should be able to use this wrapper. I hope you agree, it's just a matter of avoiding hard-coding too much. I also think that we should set `package-check-signature` aggressively if we can verify a basic signature verification. So maybe that wrapper above can finish with a test run of GnuPG to ensure it will DTRT, and if so, offer to customize and save `package-check-signature`. I can atttempt all of the above... do you agree with the workflow? I am attaching a small patch to provide a "Verify" button in the package description, so the user doesn't have to try install the package to find out if it's signed. If you agree, I can commit it. Thanks Ted