GNU bug report logs -
#25572
Signatures on Emacs windows .zip files
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25572 in the body.
You can then email your comments to 25572 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Sun, 29 Jan 2017 17:45:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Richard Kettlewell <rjk <at> terraraq.uk>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Sun, 29 Jan 2017 17:45:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
According to https://www.gnu.org/software/emacs/download.html:
Since the 24.5 release, tarballs are signed with the GPG key from
Nicolas Petton 7C207910, fingerprint 28D3 BED8 51FD F3AB 57FE
F93C 2335 87A4 7C20 7910, which can be found in the GNU keyring.
However the windows .zip files on http://ftp.gnu.org/gnu/emacs are
signed with some other key:
$ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
60C3B396
gpg: Good signature from "Phillip Lord <phillip.lord <at> russet.org.uk>"
gpg: aka "Phillip Lord <p.lord <at> russet.org.uk>"
gpg: aka "Phillip Lord <p.lord <at> hgmp.mrc.ac.uk>"
gpg: aka "Phillip Lord <phillip.lord <at> newcastle.ac.uk>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 8352 2404 7598 ECBC 61A1 DA34 5FE9 658D 60C3 B396
ttfn/rjk
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Sun, 29 Jan 2017 20:15:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 25572 <at> debbugs.gnu.org (full text, mbox):
> From: Richard Kettlewell <rjk <at> terraraq.uk>
> Date: Sun, 29 Jan 2017 11:48:55 +0000
>
> According to https://www.gnu.org/software/emacs/download.html:
>
> Since the 24.5 release, tarballs are signed with the GPG key from
> Nicolas Petton 7C207910, fingerprint 28D3 BED8 51FD F3AB 57FE
> F93C 2335 87A4 7C20 7910, which can be found in the GNU keyring.
>
> However the windows .zip files on http://ftp.gnu.org/gnu/emacs are
> signed with some other key:
>
> $ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
> gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
> 60C3B396
> gpg: Good signature from "Phillip Lord <phillip.lord <at> russet.org.uk>"
> gpg: aka "Phillip Lord <p.lord <at> russet.org.uk>"
> gpg: aka "Phillip Lord <p.lord <at> hgmp.mrc.ac.uk>"
> gpg: aka "Phillip Lord <phillip.lord <at> newcastle.ac.uk>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 8352 2404 7598 ECBC 61A1 DA34 5FE9 658D 60C3 B396
That's because the zip files with Windows binaries were produced by
Phillip.
Why is that a bug?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Sun, 29 Jan 2017 20:57:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 25572 <at> debbugs.gnu.org (full text, mbox):
On Sun, January 29, 2017 11:48 am, Richard Kettlewell wrote:
> According to https://www.gnu.org/software/emacs/download.html:
>
>
> Since the 24.5 release, tarballs are signed with the GPG key from
> Nicolas Petton 7C207910, fingerprint 28D3 BED8 51FD F3AB 57FE
> F93C 2335 87A4 7C20 7910, which can be found in the GNU keyring.
>
>
> However the windows .zip files on http://ftp.gnu.org/gnu/emacs are
> signed with some other key:
>
> $ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
> gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
> 60C3B396
> gpg: Good signature from "Phillip Lord <phillip.lord <at> russet.org.uk>"
> gpg: aka "Phillip Lord <p.lord <at> russet.org.uk>"
> gpg: aka "Phillip Lord <p.lord <at> hgmp.mrc.ac.uk>"
> gpg: aka "Phillip Lord <phillip.lord <at> newcastle.ac.uk>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner. Primary key fingerprint: 8352 2404 7598 ECBC 61A1 DA34 5FE9 658D
> 60C3 B396
Thanks for pointing this out. The key is mine. I didn't know about that
statement on the website, and you are correct that it is rather
asymmetric.
I need to update the key anyway, and will get the website updated after that.
Phil
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Sun, 29 Jan 2017 21:15:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 25572 <at> debbugs.gnu.org (full text, mbox):
On Sun, January 29, 2017 8:14 pm, Eli Zaretskii wrote:
>> From: Richard Kettlewell <rjk <at> terraraq.uk>
>> Date: Sun, 29 Jan 2017 11:48:55 +0000
>>
>>
>> $ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
>> gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
>> 60C3B396
>> gpg: Good signature from "Phillip Lord <phillip.lord <at> russet.org.uk>"
>> gpg: aka "Phillip Lord <p.lord <at> russet.org.uk>"
>> gpg: aka "Phillip Lord <p.lord <at> hgmp.mrc.ac.uk>"
>> gpg: aka "Phillip Lord <phillip.lord <at> newcastle.ac.uk>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: There is no indication that the signature belongs to the
>> owner. Primary key fingerprint: 8352 2404 7598 ECBC 61A1 DA34 5FE9 658D
>> 60C3 B396
>>
>
> That's because the zip files with Windows binaries were produced by
> Phillip.
>
>
> Why is that a bug?
>
I think it's a flaw with the website. It needs both our keys on.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Mon, 30 Jan 2017 00:54:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 25572 <at> debbugs.gnu.org (full text, mbox):
On 2017-01-29 20:14, Eli Zaretskii wrote:
>> According to https://www.gnu.org/software/emacs/download.html:
>>
>> Since the 24.5 release, tarballs are signed with the GPG key from
>> Nicolas Petton 7C207910, fingerprint 28D3 BED8 51FD F3AB 57FE
>> F93C 2335 87A4 7C20 7910, which can be found in the GNU keyring.
>>
>> However the windows .zip files on http://ftp.gnu.org/gnu/emacs are
>> signed with some other key:
>>
>> $ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
>> gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
>> 60C3B396
>> gpg: Good signature from "Phillip Lord <phillip.lord <at> russet.org.uk>"
>> gpg: aka "Phillip Lord <p.lord <at> russet.org.uk>"
>> gpg: aka "Phillip Lord <p.lord <at> hgmp.mrc.ac.uk>"
>> gpg: aka "Phillip Lord <phillip.lord <at> newcastle.ac.uk>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: There is no indication that the signature belongs to the
>> owner.
>> Primary key fingerprint: 8352 2404 7598 ECBC 61A1 DA34 5FE9 658D 60C3 B396
>
> That's because the zip files with Windows binaries were produced by
> Phillip.
Thankyou for replying. The point is: how do I verify that I have a
legitimate download of the GNU Emacs Windows binaries?
I have an informal trust path to
28D3BED851FDF3AB57FEF93C233587A47C207910 because https://www.gnu.org
mentions it. No such statement exists about
835224047598ECBC61A1DA345FE9658D60C3B396.
> Why is that a bug?
The web page told me to send comments to bug-gnu-emacs <at> gnu.org, and so
here we are.
Is there some more appropriate reporting channel?
ttfn/rjk
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Mon, 30 Jan 2017 00:54:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 25572 <at> debbugs.gnu.org (full text, mbox):
On 2017-01-29 20:56, Phillip Lord wrote:
> Thanks for pointing this out. The key is mine. I didn't know about that
> statement on the website, and you are correct that it is rather
> asymmetric.
>
> I need to update the key anyway, and will get the website updated after that.
Thanks!
ttfn/rjk
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Mon, 30 Jan 2017 22:34:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 25572 <at> debbugs.gnu.org (full text, mbox):
"Phillip Lord" wrote:
> I think it's a flaw with the website. It needs both our keys on.
It is it actually useful to list gpg keys on
https://www.gnu.org/software/emacs/download.html, or is it just another
place that's likely to get out-of-date?
Historically, the "GNU keyring" has frequently been outdated and hard to
get updated (it should be automatic but clearly isn't), so I don't know
if linking to that is a good idea. (Personally I fail to see much value
in a keyring stored on the same ftp server as the files. If a Bad Person
can mess with the latter, why not the former?)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Mon, 06 Feb 2017 10:38:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 25572 <at> debbugs.gnu.org (full text, mbox):
Glenn Morris <rgm <at> gnu.org> writes:
> "Phillip Lord" wrote:
>
>> I think it's a flaw with the website. It needs both our keys on.
>
> It is it actually useful to list gpg keys on
> https://www.gnu.org/software/emacs/download.html, or is it just another
> place that's likely to get out-of-date?
>
> Historically, the "GNU keyring" has frequently been outdated and hard to
> get updated (it should be automatic but clearly isn't), so I don't know
> if linking to that is a good idea. (Personally I fail to see much value
> in a keyring stored on the same ftp server as the files. If a Bad Person
> can mess with the latter, why not the former?)
I don't mind either way, but probably is Nicolas' is on there for the
source tarball, we should have one for the windows downloads. You are
correct that keeping this uptodate adds load.
Phil
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Mon, 06 Feb 2017 13:05:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 25572 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Phillip Lord <phillip.lord <at> russet.org.uk> writes:
> I need to update the key anyway, and will get the website updated
> after that.
You can send me the fingerprint of the key once you have it updated if
you want me to update that page.
Cheers,
Nico
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Mon, 06 Feb 2017 13:10:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 25572 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Glenn Morris <rgm <at> gnu.org> writes:
> "Phillip Lord" wrote:
>
>> I think it's a flaw with the website. It needs both our keys on.
>
> It is it actually useful to list gpg keys on
> https://www.gnu.org/software/emacs/download.html, or is it just another
> place that's likely to get out-of-date?
I'm trying to keep the website up-to-date :)
Several users asked for the fingerprint to be added somewhere on the
Emacs website, and I thought it was a good idea, as the GNU keyring is
not up-to-date and it looks like most users don't use it.
> Historically, the "GNU keyring" has frequently been outdated and hard to
> get updated (it should be automatic but clearly isn't)
Indeed, it was very hard for me to get my key on this keyring, it took
ages.
Cheers,
Nico
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Tue, 07 Feb 2017 04:39:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 25572 <at> debbugs.gnu.org (full text, mbox):
Nicolas Petton wrote:
>> Historically, the "GNU keyring" has frequently been outdated and hard to
>> get updated (it should be automatic but clearly isn't)
>
> Indeed, it was very hard for me to get my key on this keyring, it took
> ages.
That's why I don't like seeing the GNU keyring advertised on the Emacs page. :)
It clearly doesn't work properly, so let's not draw attention to it.
I'd suggest you put the Emacs keys in a plain text file on the Emacs web
site, and have the download page link to it. That way it is easier to
update.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#25572; Package
emacs.
(Sun, 19 Nov 2017 14:12:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 25572 <at> debbugs.gnu.org (full text, mbox):
The situation does not seem to have improved in the last ~10 months. The
Windows Emacs zipfiles are still signed with a key not mentioned
anywhere on https://www.gnu.org/software/emacs/download.html.
ttfn/rjk
Forcibly Merged 25572 33456.
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 21 Nov 2018 18:11:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 21 Dec 2018 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 178 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.