emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ELPA security


From: Ted Zlatanov
Subject: Re: ELPA security
Date: Fri, 28 Jun 2013 11:47:03 -0400
User-agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)

On Sun, 23 Jun 2013 12:41:32 -0400 Stefan Monnier <address@hidden> wrote: 

TZ> etc/elpa/ARCHIVE-NAME can contain the actual armored GPG signature but
TZ> it can also have more metadata about the archive.  So the format could
TZ> be:

TZ> url=ARCHIVE-URL
TZ> other-metadata=whatever
TZ> then-a-new-line=ends metadata

TZ> SIGNATURE

TZ> and if SIGNATURE is missing, the archive is not signed.

SM> Hmm... I'm not sure I understand the issues here.  IIUC Debian
SM> uses a GPG keyring.  What's the difference?Also, you talk about the
SM> signature here, whereas I think "an archive has a key, each package has
SM> a signature".

Sorry, I've been careless with the terminology.

Each file P has a detached signature P.gpgsig.

Each archive A has a public key A.key.

To verify that A signed P, the package.el user must import A.key into a
GPG keyring (either the default or, as I was suggesting to Daiki Ueno, a
special "elpa" keyring).  A GPG keyring is a storage space for keys,
essentially.

I propose `etc/elpa/A' to contain some metadata about the archive.  The
existence of that file should be noted in `package-archives-found' and
should be the only way to specify a signed archive.  The format of
`etc/elpa/A' would be:

url=ARCHIVE-URL
other-metadata=whatever
then-a-new-line=ends metadata

[after a final newline, append the contents of A.key]

This would let the user or site admin easily install or remove ELPA
archives without modifying Emacs Lisp code.  `package-archives' would
remain, but only as a way to specify unsigned archives.

>> For now I'm using the old format.  Archives are signed by default as
>> requested.  I've rebased the patch against the changes to package.el.

SM> I think the list of signed/unsigned archives should be managed
SM> dynamically/automatically: if a signature is missing, ask the user if
SM> she thinks it's normal, and if so, place the archive into a list of
SM> "unsigned archives", so the question is not repeated.  But every time we
SM> access the archive, we still try to get the a signature.  If we do find
SM> a signature, then remove the archive from the "unsigned archives" list.

I'd rather go with the `etc/elpa/A' scheme above.  Can you please
consider it?

>> Also the signature has to be named .gpgsig because the extension .gpg
>> (the default) makes EPA/EPG attempt to decrypt it.

SM> ".gpgsig" is fine, as is ".sig".  Are you talking about the packages's
SM> signatures, or about some ~/.emacs.d/elpa/archive/key.gpgsig?

P.gpgsig for every file P.

Ted




reply via email to

[Prev in Thread] Current Thread [Next in Thread]