GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Glenn Morris <rgm <at> gnu.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: Eric Abrahamsen <eric <at> ericabrahamsen.net>, 17625 <at> debbugs.gnu.org
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Thu, 05 Jun 2014 02:19:18 -0400

I tried to document it.
I suggest creating a test package on elpa.gnu.org that is signed to see
how it works.

Some things I noticed:

If package-check-signature has its default value, `allow-unsigned', you
can happily install a package with no signature, but trying to install
one that _is_ signed, but for which you don't have the public key, fails
with "Failed to verify signature".

There's no notification when installing a signed package.
Might be nice if there was a message at least ("good signature from...")
(But on the other hand I don't recall seeing apt and yum do that,
at least not by default.)
This bug report was last modified 10 years and 236 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.