From unknown Fri Aug 15 17:18:59 2025 X-Loop: help-debbugs@gnu.org Subject: bug#23513: package.el treats empty signatures as correct Resent-From: "L. Dixon" <_@lizzie.io> Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 11 May 2016 18:23:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 23513 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 23513@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.146299092628095 (code B ref -1); Wed, 11 May 2016 18:23:01 +0000 Received: (at submit) by debbugs.gnu.org; 11 May 2016 18:22:06 +0000 Received: from localhost ([127.0.0.1]:47613 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0Ylp-0007J4-0r for submit@debbugs.gnu.org; Wed, 11 May 2016 14:22:05 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42746) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <_@lizzie.io>) id 1b0Qcf-0000lM-Qb for submit@debbugs.gnu.org; Wed, 11 May 2016 05:40:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcX-0005qH-B9 for submit@debbugs.gnu.org; Wed, 11 May 2016 05:40:00 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:41964) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcX-0005ps-7u for submit@debbugs.gnu.org; Wed, 11 May 2016 05:39:57 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33598) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcS-0004KM-QT for bug-gnu-emacs@gnu.org; Wed, 11 May 2016 05:39:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcO-0005nn-Ck for bug-gnu-emacs@gnu.org; Wed, 11 May 2016 05:39:51 -0400 Received: from mail.lizzie.io ([192.241.221.211]:39338) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcN-0005nG-Ss for bug-gnu-emacs@gnu.org; Wed, 11 May 2016 05:39:48 -0400 Date: Wed, 11 May 2016 02:39:40 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lizzie.io; s=mail-lizzie-io; t=1462959585; bh=NyMVDEGQPt3HoK+GwO8txNN6cohy6n5Ue5qzImuBWWI=; h=Date:From:To:Subject:From; b=dTcJfMLYIvanmgT1i8mPQkcwq6+S4Ppm5bC/l0To/v0LkIzjpLhN3A9a2jt8V32l8 YowkTPhjS/s4xvQNbZKZdny7F9tFy2Ia2RaNW6Vf/ZHIoedHGe7uEh6XfK0EYQxrfb ZyPd+gqUaWRrJ6ENxVOy/lgy2lUsuDvW9is86BjU= From: "L. Dixon" <_@lizzie.io> Message-ID: <20160511093940.GA26912@empress> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Mailman-Approved-At: Wed, 11 May 2016 14:22:03 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi! I noticed an issue in package.el checking malformed and empty signatures. It behaves as if malformed and empty signatures are correct. You can validate this by evaling the following lisp: (setq package-check-signature t) ;; or 'alllow-unsigned2 (package--check-signature-content "a" "b") ;; => nil, no signal The issue is a result of the following code (from package.el, 62d7aca, current HEAD of master) in lines 1208-1223, the definition of package--check-signature-content: (let (good-signatures had-fatal-error) ;; The .sig file may contain multiple signatures. Success if one ;; of the signatures is good. (dolist (sig (epg-context-result-for context 'verify)) ;; [elided... conditionally set good-signatures or had-fatal-error] ) (when (and (null good-signatures) had-fatal-error) (package--display-verify-error context sig-file) (signal 'bad-signature (list sig-file))))pg- epg-context-result-for returns nil for malformed or empty signatures; in this case the body of the dolist never gets evaluated for any sig, and so both good-signatures and had-fatal-error end up nil. The signal doesn't get triggered and package--check-signature-content returns normally. I've include a patch and some additional cases for the test suite. The new tests fail against HEAD of master and pass with the patch applied. This patch includes a new test/lisp/emacs-lisp/package-resources/key.sec and signatures, since I couldn't find the passphrase for the existing one and needed to sign /test/lisp/emacs-lisp/package-resources/signed/archive-contents for the new test. As a result, this patch contains binary differences and so needs to be applied with git-apply. The passphrase for the new key is 'passphrase'. Happy to use the old key if someone knows how. I also deleted the skip-unless clause in the package-test-signed, since the test runs normally without it. I may be misunderstanding something here, but I'm worried that skipping this test will mask similar issues or regressions. Thanks, Lizzie. diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el index c05bb53..9fc2451 100644 --- a/lisp/emacs-lisp/package.el +++ b/lisp/emacs-lisp/package.el @@ -1218,7 +1218,7 @@ package--check-signature-content (unless (and (eq package-check-signature 'allow-unsigned) (eq (epg-signature-status sig) 'no-pubkey)) (setq had-fatal-error t)))) - (when (and (null good-signatures) had-fatal-error) + (when (or (null good-signatures) had-fatal-error) (package--display-verify-error context sig-file) (signal 'bad-signature (list sig-file))) good-signatures))) diff --git a/test/lisp/emacs-lisp/package-resources/key.pub b/test/lisp/emacs-lisp/package-resources/key.pub index a326d34..b3bd7a5 100644 --- a/test/lisp/emacs-lisp/package-resources/key.pub +++ b/test/lisp/emacs-lisp/package-resources/key.pub @@ -1,18 +1,30 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.14 (GNU/Linux) +Version: GnuPG v2 -mQENBFJNB8gBCACfbtpvYrM8V1HM0KFlIwatcEJugHqwOHpr/Z9mrCW0fxyQAW/d -2L+3QVNsN9Tz/K9lLcBUgeR7rhVEzHNqhmhNj/HnikwGqXbIofhp+QbZmBKnAlCz -d77kg8K9lozHtfTkm1gX/7DdPzQKmgi7WOzzi2395wGubeqJLvYaEcqVbI0Eob+E -3CzRjNy/e/Tf3TJRW5etTcdZN6LVuIY7tNCHqlQZTwyycON/hfLTX6cLCnzDsqm/ -NxCuwn9aqP9aGRGfIu7Y+If3zTymvrXEPUN98OEID814bOKdx0uVTZRiSMbvuTGI -8uMa/kpGX/78rqI61gbZV51RFoU7pT2tzwY/ABEBAAG0HkouIFIuIEhhY2tlciA8 -anJoQGV4YW1wbGUuY29tPokBOAQTAQIAIgUCUk0HyAIbAwYLCQgHAwIGFQgCCQoL -BBYCAwECHgECF4AACgkQtpVAhgkYletuhQf+JAyHYhTZNxjq0UYlikuLX8EtYbXX -PB+03J0B73SMzEai5XsiTU2ADxqxwr7pveVK1INf+IGLiiXBlQq+4DSOvQY4xLfp -58jTOYRV1ECvlXK/JtvVOwufXREADaydf9l/MUxA5G2PPBWIuQknh3ysPSsx68OJ -SzNHFwklLn0DKc4WloE/GLDpTzimnCg7QGzuUo3Iilpjdy8EvTdI5d3jx/mGJIwI -goB+YZgyxSPM+GjDwh5DEwD7OexNqqa7RynnmU0epmlYyi9UufCHLwgiiEIzjpWi -6+iF+CQ45ZAKncovByenIUv73J3ImOudrsskeAHBmahljv1he6uV9Egj2Q== -=b5Kg +mQENBFcy0X0BCADTEpqKxj/mPhlMReSTS4Tt+Z3FIWh9J/Ry9xOXejJaOf/0IK4p +svA0fm4bIZA1sBtQw7KIu+oTVEllNIQG4qxVHHLqwQx+/F3Rk+dOk0Flk+zmBT2n +F+4KCnnrK7MOjcOMNQept4YkgZd3GPkBFCAr5RPTqxy6wn7Y1/NDzuHDUvns1FpR +GxRY5vyoghs1Yei6V1uGatNgxoEtNWMn2j60IPypnP961sGKZ8MHkeS0qeEVLbjI +PZ/qAFSYSgKg4GaC4+aRL9iABYdroMsNW/yaYTTnYp25t0X7w+eG9eKZD8hsidTj +E8ZFE/En0inCK2UhkzcAj3dAvzQJo1VV2S35ABEBAAG0HUouUi4gSGFja2VyIDxq +cmhAZXhhbXBsZS5jb20+iQE3BBMBCAAhBQJXMtF9AhsDBQsJCAcCBhUICQoLAgQW +AgMBAh4BAheAAAoJEE68tnACTKitvN8IAIw+/H6VM1yP4So6HrOcYAJgSR5prOWI +c5kywJKGtdmc3DzniFxm5X5a2ARXpqaIq+5i0xQib+8SE173XsE68bNBe0OwsyRL +BWr5Gqg7gviHk8+8FmytccPSIso3fXZYrG74LHzG93N6cdp6zfGJvxHNvuVg2Ufn +kn9KmYfBcVHrYsouvPmbv7qjCVgrD8bUIr4maAtFocycxcOez5bZGhGiPVL+I4/C +8+TpBbWWsoTXo7VNWa6dvGFBgja38WPGyshExbs/SMoCkHEnUcV6uUyIZstEugvs +aAAjLk1LVPHs+juOls1JaCuxG7oquzNh9tSAZ2ZEG0bu0T5pkO4TTc65AQ0EVzLR +fQEIANPWOPCkSJomBN4BMsOmQj1RiIPMFCRS+XNRhrsUiHY2vSvSujAkemvgzf0Z +X8CYHMgo2hSH9ehcCUZryEBHcZDzkxS3E+/rk6YZhiEarWdT4O9Oi4v5ct224BLg +h1oWBwa/ypCIF8ebtZTLkWe4jkaAjKMHpgwL/ndHRJXPIN8h3Zbb9j8v5C5Y1MkR +Ppc2Pms0zQ13hIWTI925Ctc7/rS2mm1zpu3IUGRBHiX7hooVsrPuW9LQZTkULbJo +7+CR007PalDWLbj+SKkProUBadxxox1WOhxVDX1QrCLOjxFPF8QnLGP7LRdYMqOe +uEDObIKTNmk0Z8qq2uJubnxPvnMAEQEAAYkBHwQYAQgACQUCVzLRfQIbDAAKCRBO +vLZwAkyorREAB/9c4dz/egis8m9cexeNtQ2OGrqoAt2zvJm1ke1T4j23xOa/8DiW +la/DRaQQVQvb9r3KljKqiRFZGtU60rowgep+iLoYdlXoLDbq5nUWUYFjvf13qccE +iZMbWuCn17npLYSrLd1ijYmgVGB8mPwHCLQZaXwp48uqkVHfjLJszKwBv/UAJfLO +mQiYh549ZNFpYcjaShJ76tArr0SfS9mc3+RMR3jwAAg8wqf0DVIhzo7rBdbO1dZi +9ZTQdQwnIwQao1SuWPtrRq/SWe/1XKRHBs59ZNgR1k3+FfxA5TZn5aNp8bEmHi5U +y+J78lVsI2li7FH0OmdpnCqF7RnZ1OMbkwQQ +=VM68 -----END PGP PUBLIC KEY BLOCK----- diff --git a/test/lisp/emacs-lisp/package-resources/key.sec b/test/lisp/emacs-lisp/package-resources/key.sec index d21e6ae9a452ff9b7942e2a3310f0d43eb80527b..5021d12dc8e0cb3a6b52e6f6fda1dc99b4228bb8 100644 GIT binary patch literal 2573 zcmV+o3i9=p1I7ebGSPhj2msR(nu^9h<~|urMdXu9gzfpA#UW^YC-idn6PJ22S~>sp zAg(F0@HBpI8zGQ2up3arvWUCt6I4lMG=v7?tW_Lx>cI?t{9VzL=T4JBWs~gY1wE%1 z?g|Qd>npPkjl+yJ2dTG)B!QQA82JGdAS>k))2kf1!hYD-^Fz+z!&3R|)LKy+6j* zHvo@!K)*Bzqg7SeE%^Wu0RRF12Ll31&;hve+R`ZQ|C=VXs`1`Q;Rx(XEKkD`#i??( zY`jn60G4)BCRl-=cu)Kr^dVbz2~6fZamON|x@yNTKz~BJc>i#B>?L7xFRt4oI_8Zz zlo$X;L%g{f3i&4VMm4#!Kv9%`USaKH*kSjqJU zH()})nR{bd8$JTp^Q%PJr68N#i^NL2OerwYbQhoVm{0RiLOxt#C6?-!{g>^oBYkHvsbS# zgnU#i7ZVHPm8U9Jh#(jswdCw24pFOU181z3^Iws8y;uHc0lg&gv!pg96=>OgDOAgK zIL`bgltQ!Ss*O~B-J8Ksh;!)q+;Hit{$pOt{fe1nC2kqu@?V1P7uz9_#qBMp-0da{v_onO1N1ZE{Jm-WF529~ux?7Gy;?gN$vb>IS?pU;+q8{JuD0K%cE^ zkYHA8;oh+6BGH?S?V_L#02<)KmE&3zuGubLi$=QZ67!VPk7$ zav(fva%ezhcwudDY-KKEZ*4w_0XGB_0SEvg1p-$x(R~6N0|g5S2nPZN6$l9m3jzcd z0s{d89svRufB*^!5Kg?dZ~{!It-Rj|0E|BTew8y^kKrmh9hrw}C>tf0- zy!o5Ix}ynLD-XuhBEBYQ3q_&KoW;YQ&z9L55u!a({v(gV^W^CTwU)Ak*Q2#fS+1SD zVL^g6xA9}f%E&~;yFWOo(R7M7j&?XaFNFO-oeq?D{*7md#0ME3q58 zD!Vgb_SAr9W<(oC?$JJJknR&r&Yc6s1XnWAeE|pn)7Cifq)3`31l|EM!=^$#QHX=g z6eLplb5Vx76o_^}6YuMj zrWuAI8m(tj;O|b0i}`Zhw%`)rhguc~2EWRXh!@A3wUo<|XSj|=fQ+LDrVI=IcSl5( z&mi9+-Im+-KQH7iSk%c8K9@E=Yc$ObcZ7wLBi*?Q*E{~Swwi5ortQd3WI-M!`-X}Y zva{}6($Hl&6fLr7@8FTsPS0vk)-AaHNU0C5g#l^YaibkpIviCEeNe0-&W{mK7sMwl zWBV-^STduYxIoTqf|E9BG-t}H+Tw0*d{4e}01*KI0saRA0>{~Nl3c7ox9$TMDFLq! zmQI&z_U#RTep)=02&><__EP4A2K_!D%%m3YjoR>-_UjyrS#F%xm}PdEuD{?DqyC`X z))fxKjx%>0=-D-?G&8)LvvVf-2}SmLHyv`s38O8yu#EDUQ+$d+&H()KJ%X{u*r4Q& zam(P#gMHjV{?h*jAKz2%mNq~WItrHAkVO1v#SC)|21`|5OspZUNaeT>83xXNU|%+w%%8tvTLn_Wvl zxM^m{in!{rdSfvM0YIZ~0;KLy2Fhbok8|=VlTZ#y=7Mqzi2ePp$?^5?SX{PdM{7-I zZXG+X;`c?4G$wo_;Y@HU)wL+qSNW4k^y9E)jHC;FoEiRh`Jbd zRp=}>>gIJ8QGsK<{dcLy1c{RyTHvSGx#=y0t1aDPjftRCV0@VT2MDwoX?!W;%c_x4 z-;Ad-5%M4wC9oZsY3M|ki62t2~4^bJxW z&W`H^*3Q+|V)c~JbqpsX1RA4Mu2}nPMz7LY@AX`yM+VM)WY`hbP5u@9K;<@P<)dlw ju_hiaRLkOf@>OgjX=3bA^g3s0oGOLw8QIk18+bSL%E^>a-vkH!MPozQ30XV&nzk zCQP`Iz1m!GBL>%-1s_(W$1HUu-Kss;Lv6Q+IyT*@%*j*xyz2>epV`10Bj|-2dNE8_ zvA>s}TixD4H(*tQFyiZRyT(v8OzhlugA*KeD*LmXb@NDbshFduhDx6&EJ1{Dd#!yT zB@(=eK=)#*+=Akj*|Zt$TFPv;pw7LU1?P1Yj*ZlBGf3#d6vkUz=K+E2udtsZm(LF_ zS3Kpd?Mw=5Z{iNF;aC#s5!xKdF+9rLF{hjNH;0JyxC>e zXsmi>5ruj3CuF7o-|jO-0591Kz5ycD4w4sNBG2P$jw@ zY&4{O!Ow4Rd^Ux2VV2)=PdwF^F}ZRFyD^t*qe=)6-`R0sa7-hgS^f!?ud#djlc46- zDhYoTC8m2lH)nR>%_*nJi%Q4IgprX6qFE5Sfm*y8G)tmQS-cOvp;K^KykB!D=onPh zHG4zdchYBX%Gwgl&cDARj;lAEXJOCZnuGMC5V)C)7mvg3S`}0c?wu8sO#M7RNYtHP z>-%5ymwNZ5yW>^-+KMyF1Zl7CHjfJGr1=1IK2o>^D(yf{yri`X^?SUGHsm3XJ`FN+yoAsRLK;#_JVXhF?w__UbRtD|FM`84Fo&=|^ zmyaArr&uZ3Rk=t*2EB0lTSpBy6ZRWOVh24_mX*_n68utq8z*Pn>T;63 zX`w|T_~HI`t?91wxC+>Gb^3>6n<*K4+tCPm~W8PSdUhjZmpn zJ&2~Pu{W7p4?*p$06bQTk??t1Hq|K0Eb!<7%A?jWF`r_!;t&Kwb6dyhb914!gw(~h z@4)=J8dlZmqW(=mF&0fqQ}}*e9tjF1gJvamkXUABDnWhWkwO2ap4d8}}izsSx z09hHJ8U(`X!~w(~v{-;9Jf^diL{>MHLL&m(vo8uezSDj*^?)^z0rL!`l7 z!ts*@d3SY-OKX*ToNgs;A=NouzwX%p5a&DAZ;~kqxC+j>rD6esvPu#GFs-L0ERk}gW;E5yndyI=BepVj(3S*b23u#NFqM>SJEndT zSC@I%HN%GL=WC=5?yQOo$I&t&d_=|MJ`$}44Xo))*`e+%N9Rd%J4GU^TcdaEwI<65 l0@H3W3R8f$=A<=vpcl$_f|Usoys+$ECcO*%YZ1}36Net3fp7o- literal 287 zcmV+)0pR|L0UQJX0RjL91p-n{5YK#4VQKS=3Y z4{6H*y$2N7$F>D9q<6}8W@)g4IY*tJ!pbhJKg4wt^n;h+JbBA;u0>elMy`2jx*VU| zlh?jrV-3vBGP*mmNL_W?AnwVn6@Q@p*wV7I(C;5R08N&Z^~?UH#j<8F5FJwK_IikR zqO6N|z0JA$Na2JaN;v+>WxkjrGTxewi33ub)Z`?zmIs&s$-6F-;flCj9#nf{*7e-CNTm^_t3+^EM%2i`||6aGGRI7U7YNOYtV}Ps|)h ltRz>cs){>Y*0(}mOOk(tIMaz=$yPRH;b7jH|DihEO^(>ki^l)} diff --git a/test/lisp/emacs-lisp/package-resources/signed/signed-bad-1.0.el.sig b/test/lisp/emacs-lisp/package-resources/signed/signed-bad-1.0.el.sig index 747918794cab396b0b16c3d02530f45329593e8a..0803d129514565c17b1d490a6751deae9ba98c0b 100644 GIT binary patch literal 287 zcmV+)0pR|L0UQJX0SEvF1p-$x*5UvP2@p=awr~PWsIAwA2mKd=eJs30OK~ba=WYKb zA40)hmr4P&3H8xkwD|?aFZUrO$6zf&Y;?;dXS?GW@Qr&Ulm|{1%i^fPV}P{{FlzPf z%TQ;SS#A}>Ad6|eLj%kG`>p;S_5NOs6LBiBp9MOq(R#})Ni zIV|E6*o6fWBswI+f{rhacb3=-rnxkOf`(CtrUhireeq}QeC7Boom!q)-tH3y^E%dy ld>L-}SVw1AD7Q+ux571(vR=snM^Ignd(QDM;n~T-E;^4-g8Kjf literal 287 zcmV+)0pR|L0UQJX0RjL91p-n{5t*q3BFN4;I!%1v33I9 z2p^^!^J_nB)#mYv#@QdKcy&CjbuXo!;>HueViXfL?7zjQ*<5?Ehl0XP=fm8^A1oYry!UqNH^J<2@A-$ubXim+sOzut6I3Tw lH2e2uU;QtGzo)(RqQbFg5?sfObwr5XeEV{EVAln2=dFOHjDY|E diff --git a/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el b/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el new file mode 100644 index 0000000..f23d144 --- /dev/null +++ b/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el @@ -0,0 +1,33 @@ +;;; signed-empty.el --- A single-file package with an empty signature + +;; Author: J. R. Hacker +;; Version: 1.0 +;; Keywords: frobnicate +;; URL: http://doodles.au + +;;; Commentary: + +;; This package provides a minor mode to frobnicate and/or bifurcate +;; any flanges you desire. To activate it, type "C-M-r M-3 butterfly" +;; and all your dreams will come true. + +;;; Code: + +(defgroup signed-empty nil "Simply a file" + :group 'lisp) + +(defcustom signed-empty-super-sunday t + "How great is this?" + :type 'boolean + :group 'signed-empty) + +(defvar signed-empty-sudo-sandwich nil + "Make a sandwich?") + +;;;###autoload +(define-minor-mode signed-empty-mode + "It does good things to stuff") + +(provide 'signed-empty) + +;;; signed-empty.el ends here diff --git a/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el.sig b/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el.sig new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/test/lisp/emacs-lisp/package-resources/signed/signed-good-1.0.el.sig b/test/lisp/emacs-lisp/package-resources/signed/signed-good-1.0.el.sig index 747918794cab396b0b16c3d02530f45329593e8a..0803d129514565c17b1d490a6751deae9ba98c0b 100644 GIT binary patch literal 287 zcmV+)0pR|L0UQJX0SEvF1p-$x*5UvP2@p=awr~PWsIAwA2mKd=eJs30OK~ba=WYKb zA40)hmr4P&3H8xkwD|?aFZUrO$6zf&Y;?;dXS?GW@Qr&Ulm|{1%i^fPV}P{{FlzPf z%TQ;SS#A}>Ad6|eLj%kG`>p;S_5NOs6LBiBp9MOq(R#})Ni zIV|E6*o6fWBswI+f{rhacb3=-rnxkOf`(CtrUhireeq}QeC7Boom!q)-tH3y^E%dy ld>L-}SVw1AD7Q+ux571(vR=snM^Ignd(QDM;n~T-E;^4-g8Kjf literal 287 zcmV+)0pR|L0UQJX0RjL91p-n{5t*q3BFN4;I!%1v33I9 z2p^^!^J_nB)#mYv#@QdKcy&CjbuXo!;>HueViXfL?7zjQ*<5?Ehl0XP=fm8^A1oYry!UqNH^J<2@A-$ubXim+sOzut6I3Tw lH2e2uU;QtGzo)(RqQbFg5?sfObwr5XeEV{EVAln2=dFOHjDY|E diff --git a/test/lisp/emacs-lisp/package-tests.el b/test/lisp/emacs-lisp/package-tests.el index 70e129c..67da2e1 100644 --- a/test/lisp/emacs-lisp/package-tests.el +++ b/test/lisp/emacs-lisp/package-tests.el @@ -459,15 +459,6 @@ package-test-desc-version-string (ert-deftest package-test-signed () "Test verifying package signature." - (skip-unless (ignore-errors - (let ((homedir (make-temp-file "package-test" t))) - (unwind-protect - (let ((process-environment - (cons (format "HOME=%s" homedir) - process-environment))) - (epg-check-configuration (epg-configuration)) - (epg-find-configuration 'OpenPGP)) - (delete-directory homedir t))))) (let* ((keyring (expand-file-name "key.pub" package-test-data-dir)) (package-test-data-dir (expand-file-name "package-resources/signed" package-test-file-dir))) @@ -476,6 +467,7 @@ package-test-desc-version-string (package-import-keyring keyring) (package-refresh-contents) (should (package-install 'signed-good)) + (should-error (package-install 'signed-empty)) (should-error (package-install 'signed-bad)) ;; Check if the installed package status is updated. (let ((buf (package-list-packages))) From debbugs-submit-bounces@debbugs.gnu.org Wed May 11 14:34:31 2016 Received: (at control) by debbugs.gnu.org; 11 May 2016 18:34:31 +0000 Received: from localhost ([127.0.0.1]:47636 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0Yxr-0007dz-Ge for submit@debbugs.gnu.org; Wed, 11 May 2016 14:34:31 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59184) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0Yxq-0007dm-0h for control@debbugs.gnu.org; Wed, 11 May 2016 14:34:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b0Yxk-0002XI-3E for control@debbugs.gnu.org; Wed, 11 May 2016 14:34:24 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57924) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b0Yxk-0002X7-0r for control@debbugs.gnu.org; Wed, 11 May 2016 14:34:24 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1b0Yxj-0004yq-HF for control@debbugs.gnu.org; Wed, 11 May 2016 14:34:23 -0400 Subject: control message for bug 23513 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Wed, 11 May 2016 14:34:23 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.4 (------) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.4 (------) severity 23513 important tag 23513 security patch From debbugs-submit-bounces@debbugs.gnu.org Wed May 11 14:34:52 2016 Received: (at control) by debbugs.gnu.org; 11 May 2016 18:34:53 +0000 Received: from localhost ([127.0.0.1]:47639 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0YyC-0007es-Of for submit@debbugs.gnu.org; Wed, 11 May 2016 14:34:52 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59268) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0YyB-0007eM-JL for control@debbugs.gnu.org; Wed, 11 May 2016 14:34:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b0Yy5-0002b9-KP for control@debbugs.gnu.org; Wed, 11 May 2016 14:34:46 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57930) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b0Yy5-0002au-HI for control@debbugs.gnu.org; Wed, 11 May 2016 14:34:45 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1b0Yy3-0005hs-Ov for control@debbugs.gnu.org; Wed, 11 May 2016 14:34:44 -0400 Subject: control message for bug 21966 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Wed, 11 May 2016 14:34:43 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.4 (------) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.4 (------) block 21966 by 23513 From debbugs-submit-bounces@debbugs.gnu.org Wed May 11 14:43:11 2016 Received: (at control) by debbugs.gnu.org; 11 May 2016 18:43:11 +0000 Received: from localhost ([127.0.0.1]:47650 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0Z6E-0007sq-Sm for submit@debbugs.gnu.org; Wed, 11 May 2016 14:43:11 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35055) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0Z6D-0007sd-93 for control@debbugs.gnu.org; Wed, 11 May 2016 14:43:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b0Z67-0007It-A1 for control@debbugs.gnu.org; Wed, 11 May 2016 14:43:04 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58024) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b0Z67-0007I2-78 for control@debbugs.gnu.org; Wed, 11 May 2016 14:43:03 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1b0Z65-0002Ua-JK for control@debbugs.gnu.org; Wed, 11 May 2016 14:43:01 -0400 Subject: control message for bug 21966 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Wed, 11 May 2016 14:43:01 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.4 (------) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.4 (------) unblock 21966 by 23513 From debbugs-submit-bounces@debbugs.gnu.org Wed May 11 14:43:21 2016 Received: (at control) by debbugs.gnu.org; 11 May 2016 18:43:21 +0000 Received: from localhost ([127.0.0.1]:47653 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0Z6P-0007tG-2V for submit@debbugs.gnu.org; Wed, 11 May 2016 14:43:21 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35168) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0Z6N-0007t0-IU for control@debbugs.gnu.org; Wed, 11 May 2016 14:43:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b0Z6H-0007PQ-Ls for control@debbugs.gnu.org; Wed, 11 May 2016 14:43:14 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58028) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b0Z6H-0007PH-JY for control@debbugs.gnu.org; Wed, 11 May 2016 14:43:13 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1b0Z6H-0002Vh-0u for control@debbugs.gnu.org; Wed, 11 May 2016 14:43:13 -0400 Subject: control message for bug 19759 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Wed, 11 May 2016 14:43:13 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.4 (------) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.4 (------) block 19759 by 23513 From unknown Fri Aug 15 17:18:59 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: "L. Dixon" <_@lizzie.io> Subject: bug#23513: closed (Re: package.el treats empty signatures as correct) Message-ID: References: <57368435.1020004@cs.ucla.edu> <20160511093940.GA26912@empress> X-Gnu-PR-Message: they-closed 23513 X-Gnu-PR-Package: emacs X-Gnu-PR-Keywords: patch security Reply-To: 23513@debbugs.gnu.org Date: Sat, 14 May 2016 01:50:01 +0000 Content-Type: multipart/mixed; boundary="----------=_1463190601-10131-1" This is a multi-part message in MIME format... ------------=_1463190601-10131-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #23513: package.el treats empty signatures as correct which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 23513@debbugs.gnu.org. --=20 23513: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D23513 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1463190601-10131-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 23513-done) by debbugs.gnu.org; 14 May 2016 01:49:55 +0000 Received: from localhost ([127.0.0.1]:50361 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b1OiJ-0002d3-Hk for submit@debbugs.gnu.org; Fri, 13 May 2016 21:49:55 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:60193) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b1OiI-0002cq-0B for 23513-done@debbugs.gnu.org; Fri, 13 May 2016 21:49:54 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 32A211612A3; Fri, 13 May 2016 18:49:47 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id x9WbAsstnljV; Fri, 13 May 2016 18:49:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 8239E1612A2; Fri, 13 May 2016 18:49:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id pZ8nKGhfTWDO; Fri, 13 May 2016 18:49:46 -0700 (PDT) Received: from [192.168.1.9] (unknown [100.32.155.148]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 6554716129C; Fri, 13 May 2016 18:49:46 -0700 (PDT) To: "L. Dixon" <_@lizzie.io> From: Paul Eggert Subject: Re: package.el treats empty signatures as correct Organization: UCLA Computer Science Department Message-ID: <57368435.1020004@cs.ucla.edu> Date: Fri, 13 May 2016 18:49:41 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: 23513-done Cc: 23513-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.4 (-) Thanks for the bug report and fix! The code fix is so simple that copyrig= ht papers are not needed, so I installed it and will boldly mark this bug as= done. The test case is a bit much to accept without copyright assignment; is th= at something you and your employer would be willing to do? If so please let = me know and I'll start the ball rolling on that. I've never messed with those test-case signatures either but if I had to = guess the passphrase I would guess "test0123456789", the string used in test/lisp/epg-tests.el's epg-tests-passphrase-callback function. ------------=_1463190601-10131-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 11 May 2016 18:22:06 +0000 Received: from localhost ([127.0.0.1]:47613 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b0Ylp-0007J4-0r for submit@debbugs.gnu.org; Wed, 11 May 2016 14:22:05 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42746) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <_@lizzie.io>) id 1b0Qcf-0000lM-Qb for submit@debbugs.gnu.org; Wed, 11 May 2016 05:40:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcX-0005qH-B9 for submit@debbugs.gnu.org; Wed, 11 May 2016 05:40:00 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:41964) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcX-0005ps-7u for submit@debbugs.gnu.org; Wed, 11 May 2016 05:39:57 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33598) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcS-0004KM-QT for bug-gnu-emacs@gnu.org; Wed, 11 May 2016 05:39:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcO-0005nn-Ck for bug-gnu-emacs@gnu.org; Wed, 11 May 2016 05:39:51 -0400 Received: from mail.lizzie.io ([192.241.221.211]:39338) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <_@lizzie.io>) id 1b0QcN-0005nG-Ss for bug-gnu-emacs@gnu.org; Wed, 11 May 2016 05:39:48 -0400 Date: Wed, 11 May 2016 02:39:40 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lizzie.io; s=mail-lizzie-io; t=1462959585; bh=NyMVDEGQPt3HoK+GwO8txNN6cohy6n5Ue5qzImuBWWI=; h=Date:From:To:Subject:From; b=dTcJfMLYIvanmgT1i8mPQkcwq6+S4Ppm5bC/l0To/v0LkIzjpLhN3A9a2jt8V32l8 YowkTPhjS/s4xvQNbZKZdny7F9tFy2Ia2RaNW6Vf/ZHIoedHGe7uEh6XfK0EYQxrfb ZyPd+gqUaWRrJ6ENxVOy/lgy2lUsuDvW9is86BjU= From: "L. Dixon" <_@lizzie.io> To: bug-gnu-emacs@gnu.org Subject: package.el treats empty signatures as correct Message-ID: <20160511093940.GA26912@empress> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Wed, 11 May 2016 14:22:03 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi! I noticed an issue in package.el checking malformed and empty signatures. It behaves as if malformed and empty signatures are correct. You can validate this by evaling the following lisp: (setq package-check-signature t) ;; or 'alllow-unsigned2 (package--check-signature-content "a" "b") ;; => nil, no signal The issue is a result of the following code (from package.el, 62d7aca, current HEAD of master) in lines 1208-1223, the definition of package--check-signature-content: (let (good-signatures had-fatal-error) ;; The .sig file may contain multiple signatures. Success if one ;; of the signatures is good. (dolist (sig (epg-context-result-for context 'verify)) ;; [elided... conditionally set good-signatures or had-fatal-error] ) (when (and (null good-signatures) had-fatal-error) (package--display-verify-error context sig-file) (signal 'bad-signature (list sig-file))))pg- epg-context-result-for returns nil for malformed or empty signatures; in this case the body of the dolist never gets evaluated for any sig, and so both good-signatures and had-fatal-error end up nil. The signal doesn't get triggered and package--check-signature-content returns normally. I've include a patch and some additional cases for the test suite. The new tests fail against HEAD of master and pass with the patch applied. This patch includes a new test/lisp/emacs-lisp/package-resources/key.sec and signatures, since I couldn't find the passphrase for the existing one and needed to sign /test/lisp/emacs-lisp/package-resources/signed/archive-contents for the new test. As a result, this patch contains binary differences and so needs to be applied with git-apply. The passphrase for the new key is 'passphrase'. Happy to use the old key if someone knows how. I also deleted the skip-unless clause in the package-test-signed, since the test runs normally without it. I may be misunderstanding something here, but I'm worried that skipping this test will mask similar issues or regressions. Thanks, Lizzie. diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el index c05bb53..9fc2451 100644 --- a/lisp/emacs-lisp/package.el +++ b/lisp/emacs-lisp/package.el @@ -1218,7 +1218,7 @@ package--check-signature-content (unless (and (eq package-check-signature 'allow-unsigned) (eq (epg-signature-status sig) 'no-pubkey)) (setq had-fatal-error t)))) - (when (and (null good-signatures) had-fatal-error) + (when (or (null good-signatures) had-fatal-error) (package--display-verify-error context sig-file) (signal 'bad-signature (list sig-file))) good-signatures))) diff --git a/test/lisp/emacs-lisp/package-resources/key.pub b/test/lisp/emacs-lisp/package-resources/key.pub index a326d34..b3bd7a5 100644 --- a/test/lisp/emacs-lisp/package-resources/key.pub +++ b/test/lisp/emacs-lisp/package-resources/key.pub @@ -1,18 +1,30 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.14 (GNU/Linux) +Version: GnuPG v2 -mQENBFJNB8gBCACfbtpvYrM8V1HM0KFlIwatcEJugHqwOHpr/Z9mrCW0fxyQAW/d -2L+3QVNsN9Tz/K9lLcBUgeR7rhVEzHNqhmhNj/HnikwGqXbIofhp+QbZmBKnAlCz -d77kg8K9lozHtfTkm1gX/7DdPzQKmgi7WOzzi2395wGubeqJLvYaEcqVbI0Eob+E -3CzRjNy/e/Tf3TJRW5etTcdZN6LVuIY7tNCHqlQZTwyycON/hfLTX6cLCnzDsqm/ -NxCuwn9aqP9aGRGfIu7Y+If3zTymvrXEPUN98OEID814bOKdx0uVTZRiSMbvuTGI -8uMa/kpGX/78rqI61gbZV51RFoU7pT2tzwY/ABEBAAG0HkouIFIuIEhhY2tlciA8 -anJoQGV4YW1wbGUuY29tPokBOAQTAQIAIgUCUk0HyAIbAwYLCQgHAwIGFQgCCQoL -BBYCAwECHgECF4AACgkQtpVAhgkYletuhQf+JAyHYhTZNxjq0UYlikuLX8EtYbXX -PB+03J0B73SMzEai5XsiTU2ADxqxwr7pveVK1INf+IGLiiXBlQq+4DSOvQY4xLfp -58jTOYRV1ECvlXK/JtvVOwufXREADaydf9l/MUxA5G2PPBWIuQknh3ysPSsx68OJ -SzNHFwklLn0DKc4WloE/GLDpTzimnCg7QGzuUo3Iilpjdy8EvTdI5d3jx/mGJIwI -goB+YZgyxSPM+GjDwh5DEwD7OexNqqa7RynnmU0epmlYyi9UufCHLwgiiEIzjpWi -6+iF+CQ45ZAKncovByenIUv73J3ImOudrsskeAHBmahljv1he6uV9Egj2Q== -=b5Kg +mQENBFcy0X0BCADTEpqKxj/mPhlMReSTS4Tt+Z3FIWh9J/Ry9xOXejJaOf/0IK4p +svA0fm4bIZA1sBtQw7KIu+oTVEllNIQG4qxVHHLqwQx+/F3Rk+dOk0Flk+zmBT2n +F+4KCnnrK7MOjcOMNQept4YkgZd3GPkBFCAr5RPTqxy6wn7Y1/NDzuHDUvns1FpR +GxRY5vyoghs1Yei6V1uGatNgxoEtNWMn2j60IPypnP961sGKZ8MHkeS0qeEVLbjI +PZ/qAFSYSgKg4GaC4+aRL9iABYdroMsNW/yaYTTnYp25t0X7w+eG9eKZD8hsidTj +E8ZFE/En0inCK2UhkzcAj3dAvzQJo1VV2S35ABEBAAG0HUouUi4gSGFja2VyIDxq +cmhAZXhhbXBsZS5jb20+iQE3BBMBCAAhBQJXMtF9AhsDBQsJCAcCBhUICQoLAgQW +AgMBAh4BAheAAAoJEE68tnACTKitvN8IAIw+/H6VM1yP4So6HrOcYAJgSR5prOWI +c5kywJKGtdmc3DzniFxm5X5a2ARXpqaIq+5i0xQib+8SE173XsE68bNBe0OwsyRL +BWr5Gqg7gviHk8+8FmytccPSIso3fXZYrG74LHzG93N6cdp6zfGJvxHNvuVg2Ufn +kn9KmYfBcVHrYsouvPmbv7qjCVgrD8bUIr4maAtFocycxcOez5bZGhGiPVL+I4/C +8+TpBbWWsoTXo7VNWa6dvGFBgja38WPGyshExbs/SMoCkHEnUcV6uUyIZstEugvs +aAAjLk1LVPHs+juOls1JaCuxG7oquzNh9tSAZ2ZEG0bu0T5pkO4TTc65AQ0EVzLR +fQEIANPWOPCkSJomBN4BMsOmQj1RiIPMFCRS+XNRhrsUiHY2vSvSujAkemvgzf0Z +X8CYHMgo2hSH9ehcCUZryEBHcZDzkxS3E+/rk6YZhiEarWdT4O9Oi4v5ct224BLg +h1oWBwa/ypCIF8ebtZTLkWe4jkaAjKMHpgwL/ndHRJXPIN8h3Zbb9j8v5C5Y1MkR +Ppc2Pms0zQ13hIWTI925Ctc7/rS2mm1zpu3IUGRBHiX7hooVsrPuW9LQZTkULbJo +7+CR007PalDWLbj+SKkProUBadxxox1WOhxVDX1QrCLOjxFPF8QnLGP7LRdYMqOe +uEDObIKTNmk0Z8qq2uJubnxPvnMAEQEAAYkBHwQYAQgACQUCVzLRfQIbDAAKCRBO +vLZwAkyorREAB/9c4dz/egis8m9cexeNtQ2OGrqoAt2zvJm1ke1T4j23xOa/8DiW +la/DRaQQVQvb9r3KljKqiRFZGtU60rowgep+iLoYdlXoLDbq5nUWUYFjvf13qccE +iZMbWuCn17npLYSrLd1ijYmgVGB8mPwHCLQZaXwp48uqkVHfjLJszKwBv/UAJfLO +mQiYh549ZNFpYcjaShJ76tArr0SfS9mc3+RMR3jwAAg8wqf0DVIhzo7rBdbO1dZi +9ZTQdQwnIwQao1SuWPtrRq/SWe/1XKRHBs59ZNgR1k3+FfxA5TZn5aNp8bEmHi5U +y+J78lVsI2li7FH0OmdpnCqF7RnZ1OMbkwQQ +=VM68 -----END PGP PUBLIC KEY BLOCK----- diff --git a/test/lisp/emacs-lisp/package-resources/key.sec b/test/lisp/emacs-lisp/package-resources/key.sec index d21e6ae9a452ff9b7942e2a3310f0d43eb80527b..5021d12dc8e0cb3a6b52e6f6fda1dc99b4228bb8 100644 GIT binary patch literal 2573 zcmV+o3i9=p1I7ebGSPhj2msR(nu^9h<~|urMdXu9gzfpA#UW^YC-idn6PJ22S~>sp zAg(F0@HBpI8zGQ2up3arvWUCt6I4lMG=v7?tW_Lx>cI?t{9VzL=T4JBWs~gY1wE%1 z?g|Qd>npPkjl+yJ2dTG)B!QQA82JGdAS>k))2kf1!hYD-^Fz+z!&3R|)LKy+6j* zHvo@!K)*Bzqg7SeE%^Wu0RRF12Ll31&;hve+R`ZQ|C=VXs`1`Q;Rx(XEKkD`#i??( zY`jn60G4)BCRl-=cu)Kr^dVbz2~6fZamON|x@yNTKz~BJc>i#B>?L7xFRt4oI_8Zz zlo$X;L%g{f3i&4VMm4#!Kv9%`USaKH*kSjqJU zH()})nR{bd8$JTp^Q%PJr68N#i^NL2OerwYbQhoVm{0RiLOxt#C6?-!{g>^oBYkHvsbS# zgnU#i7ZVHPm8U9Jh#(jswdCw24pFOU181z3^Iws8y;uHc0lg&gv!pg96=>OgDOAgK zIL`bgltQ!Ss*O~B-J8Ksh;!)q+;Hit{$pOt{fe1nC2kqu@?V1P7uz9_#qBMp-0da{v_onO1N1ZE{Jm-WF529~ux?7Gy;?gN$vb>IS?pU;+q8{JuD0K%cE^ zkYHA8;oh+6BGH?S?V_L#02<)KmE&3zuGubLi$=QZ67!VPk7$ zav(fva%ezhcwudDY-KKEZ*4w_0XGB_0SEvg1p-$x(R~6N0|g5S2nPZN6$l9m3jzcd z0s{d89svRufB*^!5Kg?dZ~{!It-Rj|0E|BTew8y^kKrmh9hrw}C>tf0- zy!o5Ix}ynLD-XuhBEBYQ3q_&KoW;YQ&z9L55u!a({v(gV^W^CTwU)Ak*Q2#fS+1SD zVL^g6xA9}f%E&~;yFWOo(R7M7j&?XaFNFO-oeq?D{*7md#0ME3q58 zD!Vgb_SAr9W<(oC?$JJJknR&r&Yc6s1XnWAeE|pn)7Cifq)3`31l|EM!=^$#QHX=g z6eLplb5Vx76o_^}6YuMj zrWuAI8m(tj;O|b0i}`Zhw%`)rhguc~2EWRXh!@A3wUo<|XSj|=fQ+LDrVI=IcSl5( z&mi9+-Im+-KQH7iSk%c8K9@E=Yc$ObcZ7wLBi*?Q*E{~Swwi5ortQd3WI-M!`-X}Y zva{}6($Hl&6fLr7@8FTsPS0vk)-AaHNU0C5g#l^YaibkpIviCEeNe0-&W{mK7sMwl zWBV-^STduYxIoTqf|E9BG-t}H+Tw0*d{4e}01*KI0saRA0>{~Nl3c7ox9$TMDFLq! zmQI&z_U#RTep)=02&><__EP4A2K_!D%%m3YjoR>-_UjyrS#F%xm}PdEuD{?DqyC`X z))fxKjx%>0=-D-?G&8)LvvVf-2}SmLHyv`s38O8yu#EDUQ+$d+&H()KJ%X{u*r4Q& zam(P#gMHjV{?h*jAKz2%mNq~WItrHAkVO1v#SC)|21`|5OspZUNaeT>83xXNU|%+w%%8tvTLn_Wvl zxM^m{in!{rdSfvM0YIZ~0;KLy2Fhbok8|=VlTZ#y=7Mqzi2ePp$?^5?SX{PdM{7-I zZXG+X;`c?4G$wo_;Y@HU)wL+qSNW4k^y9E)jHC;FoEiRh`Jbd zRp=}>>gIJ8QGsK<{dcLy1c{RyTHvSGx#=y0t1aDPjftRCV0@VT2MDwoX?!W;%c_x4 z-;Ad-5%M4wC9oZsY3M|ki62t2~4^bJxW z&W`H^*3Q+|V)c~JbqpsX1RA4Mu2}nPMz7LY@AX`yM+VM)WY`hbP5u@9K;<@P<)dlw ju_hiaRLkOf@>OgjX=3bA^g3s0oGOLw8QIk18+bSL%E^>a-vkH!MPozQ30XV&nzk zCQP`Iz1m!GBL>%-1s_(W$1HUu-Kss;Lv6Q+IyT*@%*j*xyz2>epV`10Bj|-2dNE8_ zvA>s}TixD4H(*tQFyiZRyT(v8OzhlugA*KeD*LmXb@NDbshFduhDx6&EJ1{Dd#!yT zB@(=eK=)#*+=Akj*|Zt$TFPv;pw7LU1?P1Yj*ZlBGf3#d6vkUz=K+E2udtsZm(LF_ zS3Kpd?Mw=5Z{iNF;aC#s5!xKdF+9rLF{hjNH;0JyxC>e zXsmi>5ruj3CuF7o-|jO-0591Kz5ycD4w4sNBG2P$jw@ zY&4{O!Ow4Rd^Ux2VV2)=PdwF^F}ZRFyD^t*qe=)6-`R0sa7-hgS^f!?ud#djlc46- zDhYoTC8m2lH)nR>%_*nJi%Q4IgprX6qFE5Sfm*y8G)tmQS-cOvp;K^KykB!D=onPh zHG4zdchYBX%Gwgl&cDARj;lAEXJOCZnuGMC5V)C)7mvg3S`}0c?wu8sO#M7RNYtHP z>-%5ymwNZ5yW>^-+KMyF1Zl7CHjfJGr1=1IK2o>^D(yf{yri`X^?SUGHsm3XJ`FN+yoAsRLK;#_JVXhF?w__UbRtD|FM`84Fo&=|^ zmyaArr&uZ3Rk=t*2EB0lTSpBy6ZRWOVh24_mX*_n68utq8z*Pn>T;63 zX`w|T_~HI`t?91wxC+>Gb^3>6n<*K4+tCPm~W8PSdUhjZmpn zJ&2~Pu{W7p4?*p$06bQTk??t1Hq|K0Eb!<7%A?jWF`r_!;t&Kwb6dyhb914!gw(~h z@4)=J8dlZmqW(=mF&0fqQ}}*e9tjF1gJvamkXUABDnWhWkwO2ap4d8}}izsSx z09hHJ8U(`X!~w(~v{-;9Jf^diL{>MHLL&m(vo8uezSDj*^?)^z0rL!`l7 z!ts*@d3SY-OKX*ToNgs;A=NouzwX%p5a&DAZ;~kqxC+j>rD6esvPu#GFs-L0ERk}gW;E5yndyI=BepVj(3S*b23u#NFqM>SJEndT zSC@I%HN%GL=WC=5?yQOo$I&t&d_=|MJ`$}44Xo))*`e+%N9Rd%J4GU^TcdaEwI<65 l0@H3W3R8f$=A<=vpcl$_f|Usoys+$ECcO*%YZ1}36Net3fp7o- literal 287 zcmV+)0pR|L0UQJX0RjL91p-n{5YK#4VQKS=3Y z4{6H*y$2N7$F>D9q<6}8W@)g4IY*tJ!pbhJKg4wt^n;h+JbBA;u0>elMy`2jx*VU| zlh?jrV-3vBGP*mmNL_W?AnwVn6@Q@p*wV7I(C;5R08N&Z^~?UH#j<8F5FJwK_IikR zqO6N|z0JA$Na2JaN;v+>WxkjrGTxewi33ub)Z`?zmIs&s$-6F-;flCj9#nf{*7e-CNTm^_t3+^EM%2i`||6aGGRI7U7YNOYtV}Ps|)h ltRz>cs){>Y*0(}mOOk(tIMaz=$yPRH;b7jH|DihEO^(>ki^l)} diff --git a/test/lisp/emacs-lisp/package-resources/signed/signed-bad-1.0.el.sig b/test/lisp/emacs-lisp/package-resources/signed/signed-bad-1.0.el.sig index 747918794cab396b0b16c3d02530f45329593e8a..0803d129514565c17b1d490a6751deae9ba98c0b 100644 GIT binary patch literal 287 zcmV+)0pR|L0UQJX0SEvF1p-$x*5UvP2@p=awr~PWsIAwA2mKd=eJs30OK~ba=WYKb zA40)hmr4P&3H8xkwD|?aFZUrO$6zf&Y;?;dXS?GW@Qr&Ulm|{1%i^fPV}P{{FlzPf z%TQ;SS#A}>Ad6|eLj%kG`>p;S_5NOs6LBiBp9MOq(R#})Ni zIV|E6*o6fWBswI+f{rhacb3=-rnxkOf`(CtrUhireeq}QeC7Boom!q)-tH3y^E%dy ld>L-}SVw1AD7Q+ux571(vR=snM^Ignd(QDM;n~T-E;^4-g8Kjf literal 287 zcmV+)0pR|L0UQJX0RjL91p-n{5t*q3BFN4;I!%1v33I9 z2p^^!^J_nB)#mYv#@QdKcy&CjbuXo!;>HueViXfL?7zjQ*<5?Ehl0XP=fm8^A1oYry!UqNH^J<2@A-$ubXim+sOzut6I3Tw lH2e2uU;QtGzo)(RqQbFg5?sfObwr5XeEV{EVAln2=dFOHjDY|E diff --git a/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el b/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el new file mode 100644 index 0000000..f23d144 --- /dev/null +++ b/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el @@ -0,0 +1,33 @@ +;;; signed-empty.el --- A single-file package with an empty signature + +;; Author: J. R. Hacker +;; Version: 1.0 +;; Keywords: frobnicate +;; URL: http://doodles.au + +;;; Commentary: + +;; This package provides a minor mode to frobnicate and/or bifurcate +;; any flanges you desire. To activate it, type "C-M-r M-3 butterfly" +;; and all your dreams will come true. + +;;; Code: + +(defgroup signed-empty nil "Simply a file" + :group 'lisp) + +(defcustom signed-empty-super-sunday t + "How great is this?" + :type 'boolean + :group 'signed-empty) + +(defvar signed-empty-sudo-sandwich nil + "Make a sandwich?") + +;;;###autoload +(define-minor-mode signed-empty-mode + "It does good things to stuff") + +(provide 'signed-empty) + +;;; signed-empty.el ends here diff --git a/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el.sig b/test/lisp/emacs-lisp/package-resources/signed/signed-empty-1.0.el.sig new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/test/lisp/emacs-lisp/package-resources/signed/signed-good-1.0.el.sig b/test/lisp/emacs-lisp/package-resources/signed/signed-good-1.0.el.sig index 747918794cab396b0b16c3d02530f45329593e8a..0803d129514565c17b1d490a6751deae9ba98c0b 100644 GIT binary patch literal 287 zcmV+)0pR|L0UQJX0SEvF1p-$x*5UvP2@p=awr~PWsIAwA2mKd=eJs30OK~ba=WYKb zA40)hmr4P&3H8xkwD|?aFZUrO$6zf&Y;?;dXS?GW@Qr&Ulm|{1%i^fPV}P{{FlzPf z%TQ;SS#A}>Ad6|eLj%kG`>p;S_5NOs6LBiBp9MOq(R#})Ni zIV|E6*o6fWBswI+f{rhacb3=-rnxkOf`(CtrUhireeq}QeC7Boom!q)-tH3y^E%dy ld>L-}SVw1AD7Q+ux571(vR=snM^Ignd(QDM;n~T-E;^4-g8Kjf literal 287 zcmV+)0pR|L0UQJX0RjL91p-n{5t*q3BFN4;I!%1v33I9 z2p^^!^J_nB)#mYv#@QdKcy&CjbuXo!;>HueViXfL?7zjQ*<5?Ehl0XP=fm8^A1oYry!UqNH^J<2@A-$ubXim+sOzut6I3Tw lH2e2uU;QtGzo)(RqQbFg5?sfObwr5XeEV{EVAln2=dFOHjDY|E diff --git a/test/lisp/emacs-lisp/package-tests.el b/test/lisp/emacs-lisp/package-tests.el index 70e129c..67da2e1 100644 --- a/test/lisp/emacs-lisp/package-tests.el +++ b/test/lisp/emacs-lisp/package-tests.el @@ -459,15 +459,6 @@ package-test-desc-version-string (ert-deftest package-test-signed () "Test verifying package signature." - (skip-unless (ignore-errors - (let ((homedir (make-temp-file "package-test" t))) - (unwind-protect - (let ((process-environment - (cons (format "HOME=%s" homedir) - process-environment))) - (epg-check-configuration (epg-configuration)) - (epg-find-configuration 'OpenPGP)) - (delete-directory homedir t))))) (let* ((keyring (expand-file-name "key.pub" package-test-data-dir)) (package-test-data-dir (expand-file-name "package-resources/signed" package-test-file-dir))) @@ -476,6 +467,7 @@ package-test-desc-version-string (package-import-keyring keyring) (package-refresh-contents) (should (package-install 'signed-good)) + (should-error (package-install 'signed-empty)) (should-error (package-install 'signed-bad)) ;; Check if the installed package status is updated. (let ((buf (package-list-packages))) ------------=_1463190601-10131-1-- From unknown Fri Aug 15 17:18:59 2025 X-Loop: help-debbugs@gnu.org Subject: bug#23513: package.el treats empty signatures as correct Resent-From: Dmitry Gutov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 14 May 2016 21:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23513 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch security To: 23513@debbugs.gnu.org, Glenn Morris Cc: "L. Dixon" <_@lizzie.io> Received: via spool by 23513-submit@debbugs.gnu.org id=B23513.1463261919834 (code B ref 23513); Sat, 14 May 2016 21:39:02 +0000 Received: (at 23513) by debbugs.gnu.org; 14 May 2016 21:38:39 +0000 Received: from localhost ([127.0.0.1]:51783 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b1hGh-0000DO-D6 for submit@debbugs.gnu.org; Sat, 14 May 2016 17:38:39 -0400 Received: from mail-wm0-f52.google.com ([74.125.82.52]:36277) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b1hGg-0000DC-6S for 23513@debbugs.gnu.org; Sat, 14 May 2016 17:38:38 -0400 Received: by mail-wm0-f52.google.com with SMTP id n129so60037456wmn.1 for <23513@debbugs.gnu.org>; Sat, 14 May 2016 14:38:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=OK+T2RUMwtz4tX1slYFXnGX2naE1XkJtjBXW+dDBgIo=; b=gg/Mj9JuS58SZthe1YzTb2PJ9m32mi7246n4Aj09SjeqdcPbCZdTtpdMT6P6n9S5FR mxrMH3SCQQVzct/uX+v8LDNLY+5bhWhDV7c8Ne4CZH6H9/phfyeOkPfMijIqIhnTq66v BQO5AGJk2x9CoGT9KmJnoiV3JmySK7ytUQGzGM3vHIFVskb9JooMfNSMtqjIXW5aKCYF Se2AEnVgYsGjFciUWVyQxHLmnxptQaDNJvDfVI+KYrxR1XkpjQVM1p+QSiCY8GsmDJtz w2FKO9UPxmcQK6f7HSbCbkzwyuLs6X/+lmdMgYJyPku8Qhh2Ee8VRNs/XqKcqboE0swC +czQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:to:references:cc:from:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=OK+T2RUMwtz4tX1slYFXnGX2naE1XkJtjBXW+dDBgIo=; b=deNj6AHNicwutOExBe5nDQpwirzn99kwUPsIE12PVWlQXddlVe6IG7EPzMu5NwY83O rh5uzEBtiXY1VNCiS5Dxu06RuF6cqCVTX78OAS4NLfLEPsYODjUwhZnBQ8HqRdNBsDNw VtzAtJ0XuNEAJBd2Wg5wgWD1Jvzwu0HDA9S3XXgE2V/6s/GyzpnZ6actUGrvHNl5SLsv FEczhuINUBVHTTTz0H2b3gBvmA0NYSrP7MGmIaztCwzZKR2zFRt4B5SI1A/mDRQo2jNB 449rglU7sa/FRwkdhJCoUDhFYoN0XqsC2Pb5wd37cwmAd3+cLKpUrPAjgiBvi1RSaDEM +o6w== X-Gm-Message-State: AOPr4FViTn/aUvAXmA0ED2VXNfyRFED7H21PEhy45uebbZHCTWpyuU2uFvt1BghTB/airA== X-Received: by 10.194.216.33 with SMTP id on1mr22194722wjc.120.1463261912499; Sat, 14 May 2016 14:38:32 -0700 (PDT) Received: from [192.168.1.2] ([185.105.175.24]) by smtp.googlemail.com with ESMTPSA id jr8sm25464480wjb.15.2016.05.14.14.38.31 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 14 May 2016 14:38:31 -0700 (PDT) References: <20160511093940.GA26912@empress> From: Dmitry Gutov Message-ID: Date: Sun, 15 May 2016 00:38:30 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1 MIME-Version: 1.0 In-Reply-To: <20160511093940.GA26912@empress> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -0.5 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) On 05/11/2016 12:39 PM, L. Dixon wrote: > I also deleted the skip-unless clause in the package-test-signed, > since the test runs normally without it. I may be misunderstanding > something here, but I'm worried that skipping this test will mask > similar issues or regressions. That's definitely a cause for concern. Glenn, does Hydra lack the necessary libraries to support the package signature check? Why do we skip this test there? It seems important. From unknown Fri Aug 15 17:18:59 2025 X-Loop: help-debbugs@gnu.org Subject: bug#23513: package.el treats empty signatures as correct Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 16 May 2016 18:40:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23513 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch security To: Dmitry Gutov Cc: 23513@debbugs.gnu.org, "L. Dixon" <_@lizzie.io> Received: via spool by 23513-submit@debbugs.gnu.org id=B23513.146342397715165 (code B ref 23513); Mon, 16 May 2016 18:40:01 +0000 Received: (at 23513) by debbugs.gnu.org; 16 May 2016 18:39:37 +0000 Received: from localhost ([127.0.0.1]:54282 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b2NQW-0003wX-OQ for submit@debbugs.gnu.org; Mon, 16 May 2016 14:39:36 -0400 Received: from eggs.gnu.org ([208.118.235.92]:37959) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b2NQU-0003wK-9o for 23513@debbugs.gnu.org; Mon, 16 May 2016 14:39:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b2NQO-00087G-AO for 23513@debbugs.gnu.org; Mon, 16 May 2016 14:39:29 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:35846) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b2NQH-000850-M9; Mon, 16 May 2016 14:39:21 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1b2NQF-0003Av-R9; Mon, 16 May 2016 14:39:19 -0400 From: Glenn Morris References: <20160511093940.GA26912@empress> X-Spook: Gang Treasury Norvo Virus unclassified Al Jazeera Serbian X-Ran: B)c!SyV$Hc6!5fZ'm#UyTrCiq9O{~fI/'q]7nU-R&Y|MrZSnJcHPKG)5E*&+(K"W\]5P,< X-Hue: magenta X-Attribution: GM Date: Mon, 16 May 2016 14:39:19 -0400 In-Reply-To: (Dmitry Gutov's message of "Sun, 15 May 2016 00:38:30 +0300") Message-ID: <1rvb2dx2y0.fsf@fencepost.gnu.org> User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.4 (------) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.4 (------) Dmitry Gutov wrote: > On 05/11/2016 12:39 PM, L. Dixon wrote: > >> I also deleted the skip-unless clause in the package-test-signed, >> since the test runs normally without it. I may be misunderstanding >> something here, but I'm worried that skipping this test will mask >> similar issues or regressions. No, that stuff is there for a reason. Please don't delete it just becauses it's not needed on your system. > That's definitely a cause for concern. Glenn, does Hydra lack the > necessary libraries to support the package signature check? Hydra's "gnupg" package is from the 2.0 series, and only provides a "gpg2" executable. epg-config--program-alist requires something from the 2.1 series. So (epg-find-configuration 'OpenPGP) fails with "no usable configuration". I have added "gnupg1" to the requirements for the coverage build in an effort to get a "gpg" executable. We'll see if this helps. (It would be easier to see if this worked if the coverage job wasn't currently failing, as it has been for two weeks, due to network-stream changes that cause a test failure - bug#23508. This is a repeated pattern that makes me think people don't actually pay much attention to the coverage job.) From unknown Fri Aug 15 17:18:59 2025 X-Loop: help-debbugs@gnu.org Subject: bug#23513: package.el treats empty signatures as correct Resent-From: Dmitry Gutov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 16 May 2016 20:20:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23513 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch security To: Glenn Morris Cc: 23513@debbugs.gnu.org, "L. Dixon" <_@lizzie.io> Received: via spool by 23513-submit@debbugs.gnu.org id=B23513.146342998712744 (code B ref 23513); Mon, 16 May 2016 20:20:01 +0000 Received: (at 23513) by debbugs.gnu.org; 16 May 2016 20:19:47 +0000 Received: from localhost ([127.0.0.1]:54446 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b2OzS-0003JU-PQ for submit@debbugs.gnu.org; Mon, 16 May 2016 16:19:46 -0400 Received: from mail-wm0-f49.google.com ([74.125.82.49]:36193) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b2OzS-0003JI-0c for 23513@debbugs.gnu.org; Mon, 16 May 2016 16:19:46 -0400 Received: by mail-wm0-f49.google.com with SMTP id n129so115062460wmn.1 for <23513@debbugs.gnu.org>; Mon, 16 May 2016 13:19:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=5wb5I+9gGXKLyowo99gZFV4NmQTMWLzYYGgapjb1vqA=; b=0pzsbyMZEwo4kWXB0A49Du5nbm7zQTw1wmE0f2rIG79Yunwf2ob5amDLsWl9u+E+FW gDSF4/mSlanY8vYwns+NB/IrSbFwCMqcHGQsDakcM0B4E2rW6kGuM59Ua+nKudxtScZb wgPz5vqNWAjp4J0yZHL/AXYJzZ0iOUQhoGG9hfiLRTOW3YrbnsadcIjP4TGckbpnzDU9 j+lm/7L5Nhu90Y4+eu2mBVPqEY6c57ihpehv/vQCWmxi5U5CvoU1WZeko+8QhHLaZNwU /Rt5Yof7LmdM5Cgf5YF6MIjCbvesBDLt9WiKDeTl/fnqJjsur3JRrhfKqPmyh2iOc0sM fp3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:to:references:cc:from:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=5wb5I+9gGXKLyowo99gZFV4NmQTMWLzYYGgapjb1vqA=; b=LQOGdOKmYs0PHK0mw3hUzYtUcXG+/8ZaF9buEc4Le0hvUVIg/2k9IxC8V4mmOL1Wj4 Jyjz2BwPoYgspR04dNQAhCg2fvzaV4cEnN2rmANAbBMznGbnNzByJNWzVpHYbxxUI4CZ yDRkRX9fb7EoRhQoTxvbiyr7EBAuk6pSU7TKir2WxTqRiw8cGhw+P72UXv60fn6URerB CTlKkGJACI7hQCfMOfpaWR/EXxnLUwGLQNjapDvtH0NLVkcqT5XheOt/cnd9kfaBcjOx X51GrZil6bLU9wFi3bUGD+rHiKYJ3jediWO7bPKjjSvPe6/iKWu36dHeqhhG9Lajrbfs AynQ== X-Gm-Message-State: AOPr4FU/CnyuwRaTKlDBdvy73tEpj8OP1I1ekHU0h4WVjTPSNh+YeZBBMA8Zssf1A6TIMA== X-Received: by 10.28.189.138 with SMTP id n132mr20102813wmf.34.1463429980573; Mon, 16 May 2016 13:19:40 -0700 (PDT) Received: from [192.168.1.2] ([185.105.175.24]) by smtp.googlemail.com with ESMTPSA id k1sm3365206wjx.22.2016.05.16.13.19.38 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 16 May 2016 13:19:39 -0700 (PDT) References: <20160511093940.GA26912@empress> <1rvb2dx2y0.fsf@fencepost.gnu.org> From: Dmitry Gutov Message-ID: <91f7ebef-3e86-2ab7-51ab-61377c5f4406@yandex.ru> Date: Mon, 16 May 2016 23:19:37 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1 MIME-Version: 1.0 In-Reply-To: <1rvb2dx2y0.fsf@fencepost.gnu.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -0.5 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) On 05/16/2016 09:39 PM, Glenn Morris wrote: >> That's definitely a cause for concern. Glenn, does Hydra lack the >> necessary libraries to support the package signature check? > > Hydra's "gnupg" package is from the 2.0 series, and only provides a > "gpg2" executable. epg-config--program-alist requires something from the > 2.1 series. So (epg-find-configuration 'OpenPGP) fails with "no usable > configuration". > > I have added "gnupg1" to the requirements for the coverage build in an > effort to get a "gpg" executable. We'll see if this helps. Thanks. Ideally, we'd have something like (skip-unless (or (getenv "HYDRA") (ignore-errors ...)), to make sure the tests like that are _not_ skipped on the CI. Individual contributors may not have gpg installed (although there's a case to be made that the package tests should just fail for them), but the CI is our last "line of defense", especially for important tests. > (It would be easier to see if this worked if the coverage job wasn't > currently failing, as it has been for two weeks, due to network-stream > changes that cause a test failure - bug#23508. This is a repeated pattern > that makes me think people don't actually pay much attention to the > coverage job.) I've noticed this failure when running tests locally, but it's far from my area of expertise. I think using a separate mailing list for the build status notifications might be a mistake. I'm not subscribed to it (not sure why; maybe I've missed the announcement), and apparently not many other people are. There's not a lot traffic there, why not just send it to emacs-devel?