GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

Message #60 received at 17625 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: 17625 <at> debbugs.gnu.org
Subject: Re: bug#17625: 24.4.50;
 All installed packages marked "unsigned", no archive listed
Date: Sat, 21 Jun 2014 19:50:57 -0400

Glenn Morris wrote:

> I suggest creating a test package on elpa.gnu.org that is signed to see
> how it works.

Is anyone interested in doing this?
This feature seems like it might be almost there, so IMO it would seem
like a shame to release 24.4 without ever testing this in the wild.

> If package-check-signature has its default value, `allow-unsigned', you
> can happily install a package with no signature, but trying to install
> one that _is_ signed, but for which you don't have the public key, fails
> with "Failed to verify signature".

I think that is a potential show-stopper. 
Perhaps archives could also provide keys for download in a standard location.
The first time you connect to a given archive, Emacs could offer to
download and import the key (with a suitable warning). Or is this crazy?
This bug report was last modified 10 years and 236 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.