[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ELPA security
From: |
Ted Zlatanov |
Subject: |
Re: ELPA security |
Date: |
Fri, 28 Jun 2013 11:47:03 -0400 |
User-agent: |
Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) |
On Sun, 23 Jun 2013 12:41:32 -0400 Stefan Monnier <address@hidden> wrote:
TZ> etc/elpa/ARCHIVE-NAME can contain the actual armored GPG signature but
TZ> it can also have more metadata about the archive. So the format could
TZ> be:
TZ> url=ARCHIVE-URL
TZ> other-metadata=whatever
TZ> then-a-new-line=ends metadata
TZ> SIGNATURE
TZ> and if SIGNATURE is missing, the archive is not signed.
SM> Hmm... I'm not sure I understand the issues here. IIUC Debian
SM> uses a GPG keyring. What's the difference?Also, you talk about the
SM> signature here, whereas I think "an archive has a key, each package has
SM> a signature".
Sorry, I've been careless with the terminology.
Each file P has a detached signature P.gpgsig.
Each archive A has a public key A.key.
To verify that A signed P, the package.el user must import A.key into a
GPG keyring (either the default or, as I was suggesting to Daiki Ueno, a
special "elpa" keyring). A GPG keyring is a storage space for keys,
essentially.
I propose `etc/elpa/A' to contain some metadata about the archive. The
existence of that file should be noted in `package-archives-found' and
should be the only way to specify a signed archive. The format of
`etc/elpa/A' would be:
url=ARCHIVE-URL
other-metadata=whatever
then-a-new-line=ends metadata
[after a final newline, append the contents of A.key]
This would let the user or site admin easily install or remove ELPA
archives without modifying Emacs Lisp code. `package-archives' would
remain, but only as a way to specify unsigned archives.
>> For now I'm using the old format. Archives are signed by default as
>> requested. I've rebased the patch against the changes to package.el.
SM> I think the list of signed/unsigned archives should be managed
SM> dynamically/automatically: if a signature is missing, ask the user if
SM> she thinks it's normal, and if so, place the archive into a list of
SM> "unsigned archives", so the question is not repeated. But every time we
SM> access the archive, we still try to get the a signature. If we do find
SM> a signature, then remove the archive from the "unsigned archives" list.
I'd rather go with the `etc/elpa/A' scheme above. Can you please
consider it?
>> Also the signature has to be named .gpgsig because the extension .gpg
>> (the default) makes EPA/EPG attempt to decrypt it.
SM> ".gpgsig" is fine, as is ".sig". Are you talking about the packages's
SM> signatures, or about some ~/.emacs.d/elpa/archive/key.gpgsig?
P.gpgsig for every file P.
Ted
Re: ELPA security, Ted Zlatanov, 2013/06/17
- Re: ELPA security, Ted Zlatanov, 2013/06/19
- Re: ELPA security, Stefan Monnier, 2013/06/19
- Re: ELPA security, Ted Zlatanov, 2013/06/23
- Re: ELPA security, Stefan Monnier, 2013/06/23
- Re: ELPA security,
Ted Zlatanov <=
- Re: ELPA security, Nic Ferrier, 2013/06/28
- Re: ELPA security, Stefan Monnier, 2013/06/28
Re: ELPA security, Daiki Ueno, 2013/06/23
Re: ELPA security, Ted Zlatanov, 2013/06/28
Re: ELPA security, Daiki Ueno, 2013/06/28