GNU bug report logs -
#17625
details of package signing mechanism
Previous Next
Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>
Date: Thu, 29 May 2014 03:12:01 UTC
Severity: important
Tags: security
Found in version 24.4.50
Done: Stefan Monnier <monnier <at> iro.umontreal.ca>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
> I am, but looked in the trunk for this file. I didn't expect you'd put
> the keyring only in the emacs-24 branch. Why keep it out of trunk?
> Users there won't know to look in emacs-24.
For those who haven't followed Emacs's development over the last
5 years: changes that should go into the release are made *only* to the
release branch, which is then merged every once in a while into trunk.
> They have to attempt an install. That's why I suggested the "Verify" button.
A verify button would only make sense if we exposed the "download" and
the "install" as two separate steps, so the user could then "verify"
between those two steps.
If we don't, then the user can "verify" with your button, get
a "verification successful" and then go on and download an unsigned
package (because the attacker just changed the file and removed the sig
in the mean time).
> The whole thing is hard to set up for a new user,
Huh? It's completely transparent! Have you tried the `emacs-24' branch?
> I'm trying to cover the case where the users wants to allow installing
> unsigned packages, but still wants to verify an individual package's
> signature beforehand. As the number of package archives grows, I think
> that will be useful.
A much better option, then, is to let package-check-signature take
another value which causes the user to be prompted if the sig can't
be checked.
Stefan
This bug report was last modified 10 years and 236 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.