GNU bug report logs -
#35414
26.2; ELPA packages signed with second, unknown key
Previous Next
Reported by: Brandon Invergo <brandon <at> invergo.net>
Date: Wed, 24 Apr 2019 12:57:01 UTC
Severity: important
Tags: security
Merged with 35534,
44907
Found in versions 25.3.50, 26.2
Done: Stefan Monnier <monnier <at> iro.umontreal.ca>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
> No, the bug is that the signature verification should not signal an
> error before September 2019 even if you don't have the new key.
>
> Could you remove the gnu-elpa-keyring-update package, and the 2019
> key from your keyring and try and help us figure out why you get
> those errors and I don't?
Oh, wait, I see it now: I had set package-check-signature incorrectly.
So, I can reproduce the problem now with
(setq package-check-signature t)
It works correctly if you've set it to the default `allow-unsigned`.
I think it's a mistake: `allow-unsigned` should mean to allow installing
packages when they don't have a signature at all, and `t` should mean
to allow installing if at least one of the sigs is verified rather than
only if all the sigs are verified.
But that ship has sailed, so I'm going to have to rethink the transition
to the new key. Damn!
Stefan
This bug report was last modified 4 years and 170 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.