GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

Message #66 received at 17625 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 17625 <at> debbugs.gnu.org
Subject: Re: bug#17625: 24.4.50;
 All installed packages marked "unsigned", no archive listed
Date: Mon, 23 Jun 2014 12:01:14 -0400

Stefan Monnier wrote:

> I could try if someone tells me what I need to do.

Something like this:

Make a test package on elpa.gnu.org (don't use a real one for the reason
I mentioned about people currently not being able to install it without
the key). Maybe do both a single-file one and a multi-file one.

Generate a gpg key using gpg --gen-key.
For testing, accepting all the defaults seems fine.

Later we should think whether/when the key should expire, and whose
name/email it should use (eg yours, or a generic elpa.gnu.org one). We
also need to think about how to store the key passphrase, if things are
to be signed automatically.

Use that key to sign the test packages:

 gpg -ba -o FILE.sig FILE

where FILE = foo.el or foo.tar

Put FILE.sig in the same place as FILE on the server.

Export the public part of the key you just generated:
gpg --armor --export email <at> example.com > foo.key

I think that's it for the server.

On the client, try to install that package from Emacs.
It should fail until you import the public key using
M-x package-import-keyring.
This bug report was last modified 10 years and 236 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.