GNU bug report logs - #22440
25.1.50; package.el fails to install with package-check-signature t

Previous Next

Package: emacs;

Reported by: Mark Oteiza <mvoteiza <at> udel.edu>

Date: Sat, 23 Jan 2016 00:50:02 UTC

Severity: important

Tags: security

Found in version 25.1.50

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #66 received at 22440 <at> debbugs.gnu.org (full text, mbox):

From: Lizzie Dixon <_ <at> lizzie.io>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: Mark Oteiza <mvoteiza <at> udel.edu>, 22440 <at> debbugs.gnu.org,
 Artur Malabarba <bruce.connor.am <at> gmail.com>, Dmitry Gutov <dgutov <at> yandex.ru>
Subject: Re: bug#22440: 25.1.50; package.el fails to install with
 package-check-signature t
Date: Wed, 18 May 2016 21:39:05 -0700

On 05/15, Paul Eggert wrote:
> Dmitry Gutov wrote:
> > On 05/15/2016 10:03 AM, Paul Eggert wrote:
> > 
> >> package-check-signature t means check package signatures when installing, and do
> >> not install a package if it is unsigned. Which is what is happening, right?
> > 
> > Aren't packages coming from GNU ELPA supposed to all be signed?
> 
> Sorry, I don't know. I don't even know how to determine whether that particular
> package is signed.

You can tell because http://elpa.gnu.org/packages/async-1.9.tar.sig exists.

$ curl -O 'http://elpa.gnu.org/packages/async-1.9.tar'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 61440  100 61440    0     0  98420      0 --:--:-- --:--:-- --:--:-- 98304
$ curl -O 'http://elpa.gnu.org/packages/async-1.9.tar.sig'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    96  100    96    0     0    254      0 --:--:-- --:--:-- --:--:--   253
$ gpg --no-default-keyring --keyring /usr/share/emacs/25.0.93/etc/package-keyring.gpg --verify async-1.9.tar.sig 
gpg: assuming signed data in 'async-1.9.tar'
gpg: Signature made Wed 18 May 2016 02:05:02 PM PDT using DSA key ID 7FBDEF9B
gpg: Good signature from "GNU ELPA Signing Agent <elpasign <at> elpa.gnu.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CA44 2C00 F917 74F1 7F59  D9B0 474F 0583 7FBD EF9B
This bug report was last modified 9 years and 67 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.