Re: Proposal to include obligatory PGP verification of packages from any repository

[Stefan Kangas]

Jean Louis <bugs@gnu.support> writes:

>    One way to increase the security of your packages is to “sign” them
> using a cryptographic key.  If you have generated a private/public gpg
> key pair, you can use gpg to sign the package like this:
>
>      gpg -ba -o FILE.sig FILE
>
> But it is not implemented into Emacs to verify packages being signed,
> so my proposal is that Emacs get obligatory verification of a package
> if such package is arriving from any repository and to warn user if
> package was not signed. This would give initiative to MELPA to start
> thinking about security issues.
>
> That is one of reasons why Hyperbola GNU/Linux-libre and other
> GNU/Linux distributions package some major Emacs packages, as that way
> the package maintainers verify the package before it is included in
> the free software distribution.
>
> In the same manner Emacs should have a built-in package installation
> procedure (that can be circumvented by users' configuration) to verify
> all packages being installed by default.

We have signing of packages on the package archive side that is verified
by default when it exists.  See `package-check-signature'.  (If I'm not
mistaken, GNU ELPA signs packages but MELPA doesn't.  Please correct me
if I'm wrong.)

Note that package signatures still leaves us open to replay attacks.
See Bug#19479 and the branch scratch/package-security for an attempt to
improve the situation.

I think it would be useful if package archives could implement a
requirement for signed commits before building a new package.  This
could be optional or mandatory, and would buy us an additional layer of
protection against compromised developer credentials.