[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] package.el: check tarball signature
From: |
Daiki Ueno |
Subject: |
[PATCH] package.el: check tarball signature |
Date: |
Mon, 30 Sep 2013 15:48:16 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) |
Well, I still don't understand why this is advertised as such a
difficult problem, particularly why package.el would need sign operation
with Emacs. Am I missing something?
Perhaps it might make sense to discuss with some code. Here it is.
The code verifies a detached signature NAME-VERSION.tar.sig with a
trusted keyring located under ~/.emacs.d/elpa/gnupg/. That's it.
For uploading packages, we could simply use the same mechanism as
gnupload in Gnulib.
It's actually a 10-minute work at an airport lobby and tested only with
the local package archive.
=== modified file 'lisp/emacs-lisp/package.el'
--- lisp/emacs-lisp/package.el 2013-08-03 02:34:22 +0000
+++ lisp/emacs-lisp/package.el 2013-09-30 16:50:40 +0000
@@ -739,13 +739,44 @@
(error "Error during download request:%s"
(buffer-substring-no-properties (point) (line-end-position))))))
+(declare-function epg-make-context "epg"
+ (&optional protocol armor textmode include-certs
+ cipher-algorithm
+ digest-algorithm
+ compress-algorithm))
+(declare-function epg-context-set-home-directory "epg" (context directory))
+(declare-function epg-verify-file "epg" (context signature
+ &optional signed-text plain))
+
+(defun package--check-signature (pkg-desc)
+ "Check signature of a package.
+GnuPG keyring is located under \"gnupg\" in `package-user-dir'."
+ (let* ((location (package-archive-base pkg-desc))
+ (sig-file (concat (package-desc-full-name pkg-desc)
+ (package-desc-suffix pkg-desc)
+ ".sig"))
+ (signature (package--with-work-buffer location sig-file
+ (buffer-string)))
+ (context (epg-make-context 'OpenPGP)))
+ (epg-context-set-home-directory context
+ (expand-file-name "gnupg" package-user-dir))
+ (epg-verify-file context signature (buffer-string))))
+
(defun package-install-from-archive (pkg-desc)
"Download and install a tar package."
(let ((location (package-archive-base pkg-desc))
(file (concat (package-desc-full-name pkg-desc)
(package-desc-suffix pkg-desc))))
(package--with-work-buffer location file
- (package-unpack pkg-desc))))
+ (if (condition-case nil
+ (progn
+ (package--check-signature pkg-desc)
+ t)
+ (error (y-or-n-p
+ (format "Cannot verify signature of `%s'; \
+install it anyway? "
+ (package-desc-name pkg-desc)))))
+ (package-unpack pkg-desc)))))
(defvar package--initialized nil)
Regards,
--
Daiki Ueno
- [PATCH] package.el: check tarball signature,
Daiki Ueno <=