GNU bug report logs - #22440
25.1.50; package.el fails to install with package-check-signature t

Previous Next

Package: emacs;

Reported by: Mark Oteiza <mvoteiza <at> udel.edu>

Date: Sat, 23 Jan 2016 00:50:02 UTC

Severity: important

Tags: security

Found in version 25.1.50

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Artur Malabarba <bruce.connor.am <at> gmail.com>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: Mark Oteiza <mvoteiza <at> udel.edu>, ueno <at> gnu.org, 22440 <at> debbugs.gnu.org, Dmitry Gutov <dgutov <at> yandex.ru>
Subject: bug#22440: 25.1.50; package.el fails to install with package-check-signature t
Date: Wed, 18 May 2016 16:33:04 -0300

Artur Malabarba <bruce.connor.am <at> gmail.com> writes:

> Paul Eggert <eggert <at> cs.ucla.edu> writes:
>
>> I observed the same thing, but as I have no idea how packages ought to work I didn't know whether that was expected. If not, it's a bug too -- 
>> should it get a different bug report or is this all the same bug?
>
> Yes, it's a bug. Looks like it was introduced by the commit below.
> I've CC'd Daiki.

Here's a proposed fix.

---

Author:     Artur Malabarba <bruce.connor.am <at> gmail.com>

* lisp/emacs-lisp/package.el (package-refresh-contents):

Don't change the value of `package-check-signature'.
(package-check-signature): Use `epg-find-configuration'
instead of `executable-find'.

1 file changed, 6 insertions(+), 10 deletions(-)
lisp/emacs-lisp/package.el | 16 ++++++----------

modified   lisp/emacs-lisp/package.el
@@ -302,10 +302,12 @@ package-directory-list
   :risky t
   :version "24.1")
 
-(defvar epg-gpg-program)
+(declare-function epg-find-configuration "epg-config"
+                  (protocol &optional force))
 
 (defcustom package-check-signature
-  (if (progn (require 'epg-config) (executable-find epg-gpg-program))
+  (if (and (require 'epg-config)
+           (epg-find-configuration 'OpenPGP))
       'allow-unsigned)
   "Non-nil means to check package signatures when installing.
 The value `allow-unsigned' means to still install a package even if
@@ -1457,8 +1459,6 @@ package-initialize
 (defvar package--downloads-in-progress nil
   "List of in-progress asynchronous downloads.")
 
-(declare-function epg-find-configuration "epg-config"
-                  (protocol &optional force))
 (declare-function epg-import-keys-from-file "epg" (context keys))
 
 ;;;###autoload
@@ -1558,12 +1558,8 @@ package-refresh-contents
   (let ((default-keyring (expand-file-name "package-keyring.gpg"
                                            data-directory))
         (inhibit-message async))
-    (if (get 'package-check-signature 'saved-value)
-        (when package-check-signature
-          (epg-find-configuration 'OpenPGP))
-      (setq package-check-signature
-            (if (epg-find-configuration 'OpenPGP)
-                'allow-unsigned)))
+    (when package-check-signature
+      (epg-find-configuration 'OpenPGP))
     (when (and package-check-signature (file-exists-p default-keyring))
       (condition-case-unless-debug error
           (package-import-keyring default-keyring)
This bug report was last modified 9 years and 66 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.