GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Daiki Ueno <ueno <at> gnu.org>
Cc: 17625 <at> debbugs.gnu.org
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Wed, 25 Jun 2014 11:39:36 -0400

Hi Daiki,

I have the impression you might have missed this bug-report, could you
take a look at it?

There are several issues in it:

1- why have `package-desc-signed' (and the foo.signed files)?  I don't
   think APT has such a feature and I'm wondering what would be
   the interest.  In any case given that all packages installed so far
   are not signed, the `list-packages' currently shouldn't scream
   "unsigned" since it's the normal expected case.

2- Could you fix package--check-signature so that we don't signal an
   error when we `allow-unsigned' and there's a signature, but the
   signature just can't be checked for lack of key.

3- I think we need support for a keyring distributed with Emacs.
   Maybe to make things simpler, this keyring would only be used to seed
   the user's ~/.emacs.d/elpa/gnupg.


-- Stefan
This bug report was last modified 10 years and 237 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.