Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb

emacs-orgmode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb

From:	Jean Louis
Subject:	Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
Date:	Thu, 5 Nov 2020 21:18:42 +0300
User-agent:	Mutt/+ (1036f0e) (2020-10-18)

* Bastien <bzg@gnu.org> [2020-11-05 20:19]:
> Hi Jean Louis,
> 
> Jean Louis <bugs@gnu.support> writes:
> 
> > GNU ELPA provides signed archive-contents. Org should provide it too,
> > isn't it?
> 
> can you let us know what are the steps involved in signing
> the archive-contents file?

This I find out as I have the variable `package-check-signature'
turned on. Majority who are getting Emacs with value `allow-unsigned'
will not even see that.

Documentation:
Non-nil means to check package signatures when installing.
More specifically the value can be:
- nil: package signatures are ignored.
- `allow-unsigned': install a package even if it is unsigned, but
  if it is signed, we have the key for it, and OpenGPG is
  installed, verify the signature.
- t: accept a package only if it comes with at least one verified signature.
- `all': same as t, except when the package has several signatures,
  in which case we verify all the signatures.

You may probably automate it. It is in the Emacs Lisp manual:

41.4 Creating and Maintaining Package Archives
==============================================

   One way to increase the security of your packages is to “sign” them
using a cryptographic key.  If you have generated a private/public gpg
key pair, you can use gpg to sign the package like this:

     gpg -ba -o FILE.sig FILE

For a single-file package, FILE is the package Lisp file; for a
multi-file package, it is the package tar file.  You can also sign the
archive’s contents file in the same way.  Make the ‘.sig’ files
available in the same location as the packages.  You should also make
your public key available for people to download; e.g., by uploading it
to a key server such as <https://pgp.mit.edu/>.  When people install
packages from your archive, they can use your public key to verify the
signatures.

   A full explanation of these matters is outside the scope of this
manual.  For more information on cryptographic keys and signing, *note
GnuPG: (gnupg)Top.  Emacs comes with an interface to GNU Privacy Guard,
*note EasyPG: (epa)Top.

[Prev in Thread]

Current Thread

[Next in Thread]

Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)], Jean Louis, 2020/11/05
- Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)], Bastien, 2020/11/05
  - Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)], Jean Louis <=
    - Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)], Bastien, 2020/11/05
    - Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)], Jean Louis, 2020/11/06

Prev by Date: Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
Next by Date: Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
Previous by thread: Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
Next by thread: Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
Index(es):
- Date
- Thread