GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 17625 <at> debbugs.gnu.org
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Sun, 22 Jun 2014 08:30:09 -0400

>> I suggest creating a test package on elpa.gnu.org that is signed to see
>> how it works.
> Is anyone interested in doing this?
> This feature seems like it might be almost there, so IMO it would seem
> like a shame to release 24.4 without ever testing this in the wild.

I could try if someone tells me what I need to do.

>> If package-check-signature has its default value, `allow-unsigned', you
>> can happily install a package with no signature, but trying to install
>> one that _is_ signed, but for which you don't have the public key, fails
>> with "Failed to verify signature".
> I think that is a potential show-stopper. 

The "failed to verify" should distinguish the "we don't have the key"
case from the "signature is invalid" case, indeed.

> Perhaps archives could also provide keys for download in a standard location.
> The first time you connect to a given archive, Emacs could offer to
> download and import the key (with a suitable warning). Or is this crazy?

No, it sounds reasonable.  We'll also need support for updating the key,
at some point.


        Stefan
This bug report was last modified 10 years and 236 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.