GNU bug report logs - #22089
installs packages with bad signatures

Previous Next

Package: emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Thu, 3 Dec 2015 23:11:02 UTC

Severity: important

Found in version 25.0.50

Done: Artur Malabarba <bruce.connor.am <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Glenn Morris <rgm <at> gnu.org>
To: 22089 <at> debbugs.gnu.org
Subject: bug#22089: installs packages with bad signatures
Date: Thu, 03 Dec 2015 18:10:09 -0500

Package: emacs
Version: 25.0.50
Severity: important

Emacs happily installs packages with bad gpg signatures.
This has been flagged by the test-suite and automated builds for the past
several weeks. (I feel like asking why we even have those things, for
all the attention they seem to get.)

This seems to be the first failure.
http://hydra.nixos.org/build/27800227

Here is the diff from the previous build, with several package changes:
http://hydra.nixos.org/api/scmdiff?type=git&rev2=937565268a5dc3377d4c9bff6d48eb3645a77160&rev1=70f1fda4ae6abb5e11dcf281738c25f6f5b06061&uri=git%3A%2F%2Fgit.sv.gnu.org%2Femacs.git&branch=

Here's a standalone recipe in the emacs-25 branch:

cd test/automated
mkdir /tmp/foo
HOME=/tmp/foo ../../src/emacs -Q
(setq package-archives `(("gnu" . ,(expand-file-name "data/package/signed/"))))
(package-import-keyring "data/package/key.pub")
(package-initialize)
(package-refresh-contents)
(package-install 'signed-bad)

M-x list-packages    ->  signed-bad installed
This bug report was last modified 9 years and 220 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.