GNU bug report logs -
#35060
26.1; Incorrect OpenPGP key on Emacs site
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 35060 in the body.
You can then email your comments to 35060 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#35060; Package
emacs.
(Sun, 31 Mar 2019 07:18:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Andrew Luke Nesbit <ullbeking <at> andrewnesbit.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Sun, 31 Mar 2019 07:18:04 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
At https://www.gnu.org/software/emacs/download.html the source
tarballs are said to be signed with "the GPG key from Nicolas
Petton [...] D405 AA2C 862C 54F1 7EEE 6BE0 E8BC D786 6AFC
F978 (since 26.1), which can be found in the GNU keyring."
Not only is this key not in the GNU keyring, but it has also
been revoked from the public key server network.
In GNU Emacs 26.1 (build 1, x86_64-pc-linux-gnu)
of 2019-03-30
System Description: Debian GNU/Linux 9.8 (stretch)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#35060; Package
emacs.
(Sun, 31 Mar 2019 15:10:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 35060 <at> debbugs.gnu.org (full text, mbox):
> From: Andrew Luke Nesbit <ullbeking <at> andrewnesbit.org>
> Date: Sat, 30 Mar 2019 23:36:52 +0000
>
> At https://www.gnu.org/software/emacs/download.html the source
> tarballs are said to be signed with "the GPG key from Nicolas
> Petton [...] D405 AA2C 862C 54F1 7EEE 6BE0 E8BC D786 6AFC
> F978 (since 26.1), which can be found in the GNU keyring."
>
>
> Not only is this key not in the GNU keyring, but it has also
> been revoked from the public key server network.
See
http://lists.gnu.org/archive/html/emacs-devel/2019-03/msg00732.html
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#35060; Package
emacs.
(Sun, 31 Mar 2019 15:18:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 35060 <at> debbugs.gnu.org (full text, mbox):
On 31/03/2019 16:09, Eli Zaretskii wrote:
>> From: Andrew Luke Nesbit <ullbeking <at> andrewnesbit.org>
>> Date: Sat, 30 Mar 2019 23:36:52 +0000
[...]
>> Not only is this key not in the GNU keyring, but it has also
>> been revoked from the public key server network.
>
> See
>
> http://lists.gnu.org/archive/html/emacs-devel/2019-03/msg00732.html
The public key server network has the key marked as revoked:
https://keyserver.escomposlinux.org/pks/lookup?search=Nicolas+Petton&fingerprint=on&op=vindex
Why is it then still listed on the website as something that can be
depended on? I cannot see how it makes sense to refer to this
particular key.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#35060; Package
emacs.
(Sun, 31 Mar 2019 16:24:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 35060 <at> debbugs.gnu.org (full text, mbox):
On Sun, Mar 31, 2019 at 04:16:52PM +0100, Andrew Luke Nesbit wrote:
> The public key server network has the key marked as revoked:
> https://keyserver.escomposlinux.org/pks/lookup?search=Nicolas+Petton&fingerprint=on&op=vindex
You’re looking at the wrong key, I think.
--
Alan Third
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#35060; Package
emacs.
(Tue, 02 Apr 2019 06:14:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 35060 <at> debbugs.gnu.org (full text, mbox):
On 31/03/2019 17:23, Alan Third wrote:
> On Sun, Mar 31, 2019 at 04:16:52PM +0100, Andrew Luke Nesbit wrote:
>> The public key server network has the key marked as revoked:
>> https://keyserver.escomposlinux.org/pks/lookup?search=Nicolas+Petton&fingerprint=on&op=vindex
>
> You’re looking at the wrong key, I think.
I am indeed looking at the wrong key on the key server. Nevertheless,
there is still a problem.
The user is instructed to √erify the signature of the download, but the
information about who it's signed by is misleading. The key that signs
the signature for releases >= 26.1 is not available as far as I can tell.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#35060; Package
emacs.
(Tue, 02 Apr 2019 14:00:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 35060 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, 2 Apr 2019, 07:13 Andrew Luke Nesbit, <ullbeking <at> andrewnesbit.org>
wrote:
>
> The user is instructed to √erify the signature of the download, but the
> information about who it's signed by is misleading. The key that signs
> the signature for releases >= 26.1 is not available as far as I can tell.
>
It's actually a subkey, so if you updated Nicolas's key from the server it
should verify correctly. I do agree that it's confusing, though.
>
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#35060; Package
emacs.
(Wed, 22 Sep 2021 21:51:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 35060 <at> debbugs.gnu.org (full text, mbox):
Alan Third <alan <at> idiocy.org> writes:
> On Tue, 2 Apr 2019, 07:13 Andrew Luke Nesbit,
> <ullbeking <at> andrewnesbit.org> wrote:
>
> The user is instructed to √erify the signature of the download, but the
> information about who it's signed by is misleading. The key that signs
> the signature for releases >= 26.1 is not available as far as I can tell.
>
> It's actually a subkey, so if you updated Nicolas's key from the server it
> should verify correctly. I do agree that it's confusing, though.
So if I understand correctly, there isn't anything to fix here, and I'm
closing this bug report. (If I'm mistaken, and there's something that
can be done to make this less confusing, please respond to the debbugs
address and we'll reopen.)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug closed, send any further explanations to
35060 <at> debbugs.gnu.org and Andrew Luke Nesbit <ullbeking <at> andrewnesbit.org>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Wed, 22 Sep 2021 21:51:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 21 Oct 2021 11:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 321 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.