[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#35414: 26.2; ELPA packages signed with second, unknown key
|
From: |
Stefan Monnier |
|
Subject: |
bug#35414: 26.2; ELPA packages signed with second, unknown key |
|
Date: |
Wed, 24 Apr 2019 18:36:29 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
> I see. Sorry, I only searched the bugs list but not the diffs list!
No need to apologize: the new sigs appeared before the keyring
was distributed.
>> Hmm... I just tried with Debian's Emacs-25.1 and with a new build from
>> the `emacs-26` branch:
>>
>> emacs -Q --eval '(setq package-check-signature t)
>> M-x package-list-packages RET
>> M-x package-refresh-contents RET
>>
>> and didn't get any error.
>
> I suppose it's worth asking (but apologies if I misunderstand what's
> happening under the hood): did you perform this test with an empty
> keyring (or just with what's available in Debian's Emacs-25.1
> installation)?
The keyring was not empty, but only had the 2014 key.
> I suspect that you already have the new public key in
> your keyring, so you wouldn't experience the problem.
I was also afraid of that, so I double checked.
>> It's a brand new key that is now in etc/package-keyring.gpg in the
>> `master` branch of Emacs, as well as in the `gnu-elpa-keyring-update`
>> package in GNU ELPA.
>>
>> This is because the key 474F05837FBDEF9B is about to expire (it's
>> really high time we start preparing for the new key).
>
> OK, that should make things easy enough.
But I don't want for people to have to update their keyring already:
they'll need to do that some time before September, but updating your
keyring will just hide the problem you're seeing.
> Unfortunately, installing the package (after temporarily disabling sig
> verification) doesn't solve the problem for me. Am I correct to assume
> that the package should "just work" after installing (and restarting
> Emacs)?
Yes, even without restarting Emacs.
> I looked at the ELPA git repo and saw that the keyring should be
> distributed in the etc subdirectory of the package.
Oh, duh, of course, the scripts decided to make a single-file package
out of it, so the keyring is missing. I'll fix that.
> So, I guess the "bug" at this point is that it would appear that the
> keyring isn't properly installed with the keyring-update package. I
> apologize for the original noise, since you obviously had already
> considered and worked on a fix for the underlying problem.
No, the bug is that the signature verification should not signal an
error before September 2019 even if you don't have the new key.
Could you remove the gnu-elpa-keyring-update package, and the 2019
key from your keyring and try and help us figure out why you get
those errors and I don't?
Stefan
- bug#35414: 26.2; ELPA packages signed with second, unknown key, Brandon Invergo, 2019/04/24
- bug#35414: 26.2; ELPA packages signed with second, unknown key, Glenn Morris, 2019/04/24
- bug#35414: 26.2; ELPA packages signed with second, unknown key, Stefan Monnier, 2019/04/24
- bug#35414: 26.2; ELPA packages signed with second, unknown key, Brandon Invergo, 2019/04/24
- bug#35414: 26.2; ELPA packages signed with second, unknown key,
Stefan Monnier <=
- bug#35414: 26.2; ELPA packages signed with second, unknown key, Stefan Monnier, 2019/04/24
- bug#35414: 26.2; ELPA packages signed with second, unknown key, Glenn Morris, 2019/04/24
- bug#35414: 26.2; ELPA packages signed with second, unknown key, Eli Zaretskii, 2019/04/25
- bug#35414: 26.2; ELPA packages signed with second, unknown key, Brandon Invergo, 2019/04/25