GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Daiki Ueno <ueno <at> gnu.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 17625 <at> debbugs.gnu.org
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Thu, 26 Jun 2014 16:28:47 +0900

Stefan Monnier <monnier <at> iro.umontreal.ca> writes:

> I have the impression you might have missed this bug-report, could you
> take a look at it?

Yes, thanks for noticing.

> There are several issues in it:
>
> 1- why have `package-desc-signed' (and the foo.signed files)?  I don't
>    think APT has such a feature and I'm wondering what would be
>    the interest.

I remember it was exactly for displaying signed/unsigned status on the
list, requested by Ted:
https://lists.gnu.org/archive/html/emacs-devel/2013-10/msg00033.html
I'm not sure if it is useful at this point.

>    In any case given that all packages installed so far are not
>    signed, the `list-packages' currently shouldn't scream "unsigned"
>    since it's the normal expected case.

Makes sense.

> 2- Could you fix package--check-signature so that we don't signal an
>    error when we `allow-unsigned' and there's a signature, but the
>    signature just can't be checked for lack of key.

Should be fixed now (r117413).

Regards,
--
Daiki Ueno
This bug report was last modified 10 years and 237 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.