bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

From: Stefan Monnier
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Sun, 22 Jun 2014 08:30:09 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) 
>> I suggest creating a test package on elpa.gnu.org that is signed to see
>> how it works.
> Is anyone interested in doing this?
> This feature seems like it might be almost there, so IMO it would seem
> like a shame to release 24.4 without ever testing this in the wild.

I could try if someone tells me what I need to do.

>> If package-check-signature has its default value, `allow-unsigned', you
>> can happily install a package with no signature, but trying to install
>> one that _is_ signed, but for which you don't have the public key, fails
>> with "Failed to verify signature".
> I think that is a potential show-stopper. 

The "failed to verify" should distinguish the "we don't have the key"
case from the "signature is invalid" case, indeed.

> Perhaps archives could also provide keys for download in a standard location.
> The first time you connect to a given archive, Emacs could offer to
> download and import the key (with a suitable warning). Or is this crazy?

No, it sounds reasonable.  We'll also need support for updating the key,
at some point.


        Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]