GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Full log

View this message in rfc822 format

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: 17625 <at> debbugs.gnu.org
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Mon, 29 Sep 2014 23:55:00 -0400

> @c Uncomment this if it becomes true.
> @ignore
> The public key for the GNU package archive is distributed with Emacs,
> in the @file{etc/package-keyring.gpg}.  Emacs uses it automatically.
> @end ignore
> The ELPA maintainer public key .gpg file is needed. Right now I can't
> find it so I can't actually verify any packages. Am I missing something?

It's in the file described in the (commented out) doc you cited above.
You are tracking emacs-24 to help us with the pretest, right?

> Are there docs on the signing process? I don't see anything in the ELPA
> repository under admin.

No, indeed, it's not there, because the signing is done completely
separately (to hopefully try and keep the private key a bit more
private).  But it's a really simple makefile that looks for *.tar, *.el,
and archive-contents and runs "gpg --detach-sign $<" on them.

> I also think that we should set `package-check-signature` aggressively
> if we can verify a basic signature verification.

For now my main concern is to make sure GNU ELPA can still be accessed
by users of 24.4, and that they *can* check the signature if they so wish.

> I am attaching a small patch to provide a "Verify" button in the package
> description, so the user doesn't have to try install the package to find
> out if it's signed.  If you agree, I can commit it.

I can't imagine why a user would want to check if a package is signed.
All GNU ELPA packages are signed, and I hope that soon all ELPA packages
will be signed.


        Stefan

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.