Re: ELPA security

[Ted Zlatanov]

On Mon, 24 Jun 2013 12:44:47 +0900 Daiki Ueno <address@hidden> wrote: 

DU> Ted Zlatanov <address@hidden> writes:
TZ> Using EPG functions, however, I could not figure out how to verify with
TZ> an external public GPG key.  I don't see that option with any of the
TZ> context functions.  Perhaps someone knows?  Without that option, the
TZ> user has to explicitly load the maintainer's public GPG key, which is
TZ> very impractical around package.el.

DU> I guess you probably mean something like debian-keyring by "external
DU> public GPG key", right?  If so, you can use an alternative ~/.gnupg
DU> directory (e.g. ~/.emacs.d/elpa/gnupg/) set through
DU> epg-gpg-home-directory, and import the keyring with
DU> epg-import-keys-from-file on M-x package-list-packages, etc.

Would it be better to follow the steps here than to have a separate
directory?  Or maybe we should do a separate key ring AND an alternative
directory?

http://stackoverflow.com/questions/9073288/decrypt-encrypted-gpg-file-using-external-secret-key

e.g.

gpg --import --no-default-keyring --secret-keyring elpa maintainer.key
gpg --verify file.gpgsig --secret-keyring elpa file
rm ~/.gnupg/elpa.gpg

DU> I'm not following the discussion nor the code, sorry if I'm missing the
DU> point.

Your help is appreciated in any way, of course, but this discussion in
particular will make EPG a fundamental tool for most ELPA interactions,
so your review would be most welcome.

Ted