GNU bug report logs - #35414
26.2; ELPA packages signed with second, unknown key

Previous Next

Package: emacs;

Reported by: Brandon Invergo <brandon <at> invergo.net>

Date: Wed, 24 Apr 2019 12:57:01 UTC

Severity: important

Tags: security

Merged with 35534, 44907

Found in versions 25.3.50, 26.2

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

Message #24 received at 35414 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Monnier <monnier <at> IRO.UMontreal.CA>
To: Brandon Invergo <brandon <at> invergo.net>
Cc: 35414 <at> debbugs.gnu.org, Glenn Morris <rgm <at> gnu.org>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
Date: Wed, 24 Apr 2019 19:02:39 -0400

> No, the bug is that the signature verification should not signal an
> error before September 2019 even if you don't have the new key.
>
> Could you remove the gnu-elpa-keyring-update package, and the 2019
> key from your keyring and try and help us figure out why you get
> those errors and I don't?

Oh, wait, I see it now: I had set package-check-signature incorrectly.
So, I can reproduce the problem now with

    (setq package-check-signature t)
    
It works correctly if you've set it to the default `allow-unsigned`.

I think it's a mistake: `allow-unsigned` should mean to allow installing
packages when they don't have a signature at all, and `t` should mean
to allow installing if at least one of the sigs is verified rather than
only if all the sigs are verified.

But that ship has sailed, so I'm going to have to rethink the transition
to the new key.  Damn!


        Stefan
This bug report was last modified 4 years and 170 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.