GNU bug report logs -
#35414
26.2; ELPA packages signed with second, unknown key
Previous Next
Reported by: Brandon Invergo <brandon <at> invergo.net>
Date: Wed, 24 Apr 2019 12:57:01 UTC
Severity: important
Tags: security
Merged with 35534,
44907
Found in versions 25.3.50, 26.2
Done: Stefan Monnier <monnier <at> iro.umontreal.ca>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Stefan Monnier writes:
> But that ship has sailed, so I'm going to have to rethink the transition
> to the new key. Damn!
At this point, it might just suffice to spread the word far and wide
that people using ELPA package verification need to 1) disable
verification, 2) install the transition package, and then 3) re-enable
verification. A few well-placed announcements should directly reach a
substantial portion of ELPA users, while also potentially getting the
info indexed in search engines for more people to find when they get
affected.
All that said, I'm not an expert but an alternative strategy for the
future might be to extend the life of the original key (gpg --edit-key),
send it to a keyserver (gpg --send-keys), and then write an
"package-update-keyring" procedure that pulls updated public keys from
the keyserver (equivalent to gpg --recv-keys). Of course, that doesn't
help the people who are not running the latest release that features the
update procedure, so a transitional package on ELPA that provides it
would still be necessary.
--
-brandon
This bug report was last modified 4 years and 170 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.