GNU bug report logs -
#17625
details of package signing mechanism
Previous Next
Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>
Date: Thu, 29 May 2014 03:12:01 UTC
Severity: important
Tags: security
Found in version 24.4.50
Done: Stefan Monnier <monnier <at> iro.umontreal.ca>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Stefan Monnier wrote:
> I could try if someone tells me what I need to do.
Something like this:
Make a test package on elpa.gnu.org (don't use a real one for the reason
I mentioned about people currently not being able to install it without
the key). Maybe do both a single-file one and a multi-file one.
Generate a gpg key using gpg --gen-key.
For testing, accepting all the defaults seems fine.
Later we should think whether/when the key should expire, and whose
name/email it should use (eg yours, or a generic elpa.gnu.org one). We
also need to think about how to store the key passphrase, if things are
to be signed automatically.
Use that key to sign the test packages:
gpg -ba -o FILE.sig FILE
where FILE = foo.el or foo.tar
Put FILE.sig in the same place as FILE on the server.
Export the public part of the key you just generated:
gpg --armor --export email <at> example.com > foo.key
I think that's it for the server.
On the client, try to install that package from Emacs.
It should fail until you import the public key using
M-x package-import-keyring.
This bug report was last modified 10 years and 236 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.