[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#17625: 24.4.50; All installed packages marked "unsigned", no archive
From: |
Stefan Monnier |
Subject: |
bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed |
Date: |
Mon, 29 Sep 2014 23:55:00 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) |
> @c Uncomment this if it becomes true.
> @ignore
> The public key for the GNU package archive is distributed with Emacs,
> in the @file{etc/package-keyring.gpg}. Emacs uses it automatically.
> @end ignore
> The ELPA maintainer public key .gpg file is needed. Right now I can't
> find it so I can't actually verify any packages. Am I missing something?
It's in the file described in the (commented out) doc you cited above.
You are tracking emacs-24 to help us with the pretest, right?
> Are there docs on the signing process? I don't see anything in the ELPA
> repository under admin.
No, indeed, it's not there, because the signing is done completely
separately (to hopefully try and keep the private key a bit more
private). But it's a really simple makefile that looks for *.tar, *.el,
and archive-contents and runs "gpg --detach-sign $<" on them.
> I also think that we should set `package-check-signature` aggressively
> if we can verify a basic signature verification.
For now my main concern is to make sure GNU ELPA can still be accessed
by users of 24.4, and that they *can* check the signature if they so wish.
> I am attaching a small patch to provide a "Verify" button in the package
> description, so the user doesn't have to try install the package to find
> out if it's signed. If you agree, I can commit it.
I can't imagine why a user would want to check if a package is signed.
All GNU ELPA packages are signed, and I hope that soon all ELPA packages
will be signed.
Stefan