* bug#35060: 26.1; Incorrect OpenPGP key on Emacs site
@ 2019-03-30 23:36 Andrew Luke Nesbit
2019-03-31 15:09 ` Eli Zaretskii
0 siblings, 1 reply; 7+ messages in thread
From: Andrew Luke Nesbit @ 2019-03-30 23:36 UTC (permalink / raw)
To: 35060
At https://www.gnu.org/software/emacs/download.html the source
tarballs are said to be signed with "the GPG key from Nicolas
Petton [...] D405 AA2C 862C 54F1 7EEE 6BE0 E8BC D786 6AFC
F978 (since 26.1), which can be found in the GNU keyring."
Not only is this key not in the GNU keyring, but it has also
been revoked from the public key server network.
In GNU Emacs 26.1 (build 1, x86_64-pc-linux-gnu)
of 2019-03-30
System Description: Debian GNU/Linux 9.8 (stretch)
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#35060: 26.1; Incorrect OpenPGP key on Emacs site
2019-03-30 23:36 bug#35060: 26.1; Incorrect OpenPGP key on Emacs site Andrew Luke Nesbit
@ 2019-03-31 15:09 ` Eli Zaretskii
2019-03-31 15:16 ` Andrew Luke Nesbit
0 siblings, 1 reply; 7+ messages in thread
From: Eli Zaretskii @ 2019-03-31 15:09 UTC (permalink / raw)
To: Andrew Luke Nesbit; +Cc: 35060
> From: Andrew Luke Nesbit <ullbeking@andrewnesbit.org>
> Date: Sat, 30 Mar 2019 23:36:52 +0000
>
> At https://www.gnu.org/software/emacs/download.html the source
> tarballs are said to be signed with "the GPG key from Nicolas
> Petton [...] D405 AA2C 862C 54F1 7EEE 6BE0 E8BC D786 6AFC
> F978 (since 26.1), which can be found in the GNU keyring."
>
>
> Not only is this key not in the GNU keyring, but it has also
> been revoked from the public key server network.
See
http://lists.gnu.org/archive/html/emacs-devel/2019-03/msg00732.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#35060: 26.1; Incorrect OpenPGP key on Emacs site
2019-03-31 15:09 ` Eli Zaretskii
@ 2019-03-31 15:16 ` Andrew Luke Nesbit
2019-03-31 16:23 ` Alan Third
0 siblings, 1 reply; 7+ messages in thread
From: Andrew Luke Nesbit @ 2019-03-31 15:16 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 35060
On 31/03/2019 16:09, Eli Zaretskii wrote:
>> From: Andrew Luke Nesbit <ullbeking@andrewnesbit.org>
>> Date: Sat, 30 Mar 2019 23:36:52 +0000
[...]
>> Not only is this key not in the GNU keyring, but it has also
>> been revoked from the public key server network.
>
> See
>
> http://lists.gnu.org/archive/html/emacs-devel/2019-03/msg00732.html
The public key server network has the key marked as revoked:
https://keyserver.escomposlinux.org/pks/lookup?search=Nicolas+Petton&fingerprint=on&op=vindex
Why is it then still listed on the website as something that can be
depended on? I cannot see how it makes sense to refer to this
particular key.
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#35060: 26.1; Incorrect OpenPGP key on Emacs site
2019-03-31 15:16 ` Andrew Luke Nesbit
@ 2019-03-31 16:23 ` Alan Third
2019-04-02 6:13 ` Andrew Luke Nesbit
0 siblings, 1 reply; 7+ messages in thread
From: Alan Third @ 2019-03-31 16:23 UTC (permalink / raw)
To: Andrew Luke Nesbit; +Cc: 35060
On Sun, Mar 31, 2019 at 04:16:52PM +0100, Andrew Luke Nesbit wrote:
> The public key server network has the key marked as revoked:
> https://keyserver.escomposlinux.org/pks/lookup?search=Nicolas+Petton&fingerprint=on&op=vindex
You’re looking at the wrong key, I think.
--
Alan Third
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#35060: 26.1; Incorrect OpenPGP key on Emacs site
2019-03-31 16:23 ` Alan Third
@ 2019-04-02 6:13 ` Andrew Luke Nesbit
2019-04-02 13:59 ` Alan Third
0 siblings, 1 reply; 7+ messages in thread
From: Andrew Luke Nesbit @ 2019-04-02 6:13 UTC (permalink / raw)
To: Alan Third; +Cc: 35060
On 31/03/2019 17:23, Alan Third wrote:
> On Sun, Mar 31, 2019 at 04:16:52PM +0100, Andrew Luke Nesbit wrote:
>> The public key server network has the key marked as revoked:
>> https://keyserver.escomposlinux.org/pks/lookup?search=Nicolas+Petton&fingerprint=on&op=vindex
>
> You’re looking at the wrong key, I think.
I am indeed looking at the wrong key on the key server. Nevertheless,
there is still a problem.
The user is instructed to √erify the signature of the download, but the
information about who it's signed by is misleading. The key that signs
the signature for releases >= 26.1 is not available as far as I can tell.
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#35060: 26.1; Incorrect OpenPGP key on Emacs site
2019-04-02 6:13 ` Andrew Luke Nesbit
@ 2019-04-02 13:59 ` Alan Third
2021-09-22 21:50 ` Lars Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Alan Third @ 2019-04-02 13:59 UTC (permalink / raw)
To: Andrew Luke Nesbit; +Cc: 35060
[-- Attachment #1: Type: text/plain, Size: 470 bytes --]
On Tue, 2 Apr 2019, 07:13 Andrew Luke Nesbit, <ullbeking@andrewnesbit.org>
wrote:
>
> The user is instructed to √erify the signature of the download, but the
> information about who it's signed by is misleading. The key that signs
> the signature for releases >= 26.1 is not available as far as I can tell.
>
It's actually a subkey, so if you updated Nicolas's key from the server it
should verify correctly. I do agree that it's confusing, though.
>
[-- Attachment #2: Type: text/html, Size: 984 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#35060: 26.1; Incorrect OpenPGP key on Emacs site
2019-04-02 13:59 ` Alan Third
@ 2021-09-22 21:50 ` Lars Ingebrigtsen
0 siblings, 0 replies; 7+ messages in thread
From: Lars Ingebrigtsen @ 2021-09-22 21:50 UTC (permalink / raw)
To: Alan Third; +Cc: 35060, Andrew Luke Nesbit
Alan Third <alan@idiocy.org> writes:
> On Tue, 2 Apr 2019, 07:13 Andrew Luke Nesbit,
> <ullbeking@andrewnesbit.org> wrote:
>
> The user is instructed to √erify the signature of the download, but the
> information about who it's signed by is misleading. The key that signs
> the signature for releases >= 26.1 is not available as far as I can tell.
>
> It's actually a subkey, so if you updated Nicolas's key from the server it
> should verify correctly. I do agree that it's confusing, though.
So if I understand correctly, there isn't anything to fix here, and I'm
closing this bug report. (If I'm mistaken, and there's something that
can be done to make this less confusing, please respond to the debbugs
address and we'll reopen.)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-09-22 21:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-30 23:36 bug#35060: 26.1; Incorrect OpenPGP key on Emacs site Andrew Luke Nesbit
2019-03-31 15:09 ` Eli Zaretskii
2019-03-31 15:16 ` Andrew Luke Nesbit
2019-03-31 16:23 ` Alan Third
2019-04-02 6:13 ` Andrew Luke Nesbit
2019-04-02 13:59 ` Alan Third
2021-09-22 21:50 ` Lars Ingebrigtsen
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).