GNU bug report logs - #35414
26.2; ELPA packages signed with second, unknown key

Previous Next

Full log

Message #41 received at 35414 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefan <at> marxist.se>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 35414 <at> debbugs.gnu.org, Glenn Morris <rgm <at> gnu.org>,
 Brandon Invergo <brandon <at> invergo.net>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
Date: Tue, 1 Oct 2019 00:02:49 +0200

Stefan Monnier <monnier <at> IRO.UMontreal.CA> writes:

>> No, the bug is that the signature verification should not signal an
>> error before September 2019 even if you don't have the new key.
>>
>> Could you remove the gnu-elpa-keyring-update package, and the 2019
>> key from your keyring and try and help us figure out why you get
>> those errors and I don't?
>
> Oh, wait, I see it now: I had set package-check-signature incorrectly.
> So, I can reproduce the problem now with
>
>     (setq package-check-signature t)
>
> It works correctly if you've set it to the default `allow-unsigned`.
>
> I think it's a mistake: `allow-unsigned` should mean to allow installing
> packages when they don't have a signature at all, and `t` should mean
> to allow installing if at least one of the sigs is verified rather than
> only if all the sigs are verified.
>
> But that ship has sailed, so I'm going to have to rethink the transition
> to the new key.  Damn!

What's the status on this?  Anything else that needs doing before 27.1?

Best regards,
Stefan Kangas

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.