From: Stefan Monnier <monnier@IRO.UMontreal.CA>
To: Glenn Morris <rgm@gnu.org>
Cc: 35414@debbugs.gnu.org, Brandon Invergo <brandon@invergo.net>
Subject: bug#35414: 26.2; ELPA packages signed with second, unknown key
Date: Wed, 24 Apr 2019 15:36:50 -0400 [thread overview]
Message-ID: <jwvsgu7p5ui.fsf-monnier+emacs@gnu.org> (raw)
In-Reply-To: <wsef5rwflb.fsf@fencepost.gnu.org> (Glenn Morris's message of "Wed, 24 Apr 2019 12:08:48 -0400")
> I assume (without checking) that this is related to the key from
> http://lists.gnu.org/r/emacs-diffs/2019-04/msg00546.html
Hmm... Indeed: this new keyring contains two keys (the old 2014 key
which will expire in September and a new key to replace it).
>> When I execute package-refresh-contents or when I try to install a
>> package from ELPA, it fails with the following error:
>>
>> Failed to verify signature archive-contents.sig:
>> No public key for 066DAFCB81E42C40 created at 2019-04-24T10:15:06+0100 using RSA
>> Good signature from 474F05837FBDEF9B GNU ELPA Signing Agent <elpasign@elpa.gnu.org> (trust undefined) created at 2019-04-24T10:15:06+0100 using DSA
>> Command output:
>> gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST
>> gpg: using DSA key CA442C00F91774F17F59D9B0474F05837FBDEF9B
>> gpg: Good signature from "GNU ELPA Signing Agent <elpasign@elpa.gnu.org>" [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: CA44 2C00 F917 74F1 7F59 D9B0 474F 0583 7FBD EF9B
>> gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST
>> gpg: using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40
>> gpg: Can't check signature: No public key
Hmm... I just tried with Debian's Emacs-25.1 and with a new build from
the `emacs-26` branch:
emacs -Q --eval '(setq package-check-signature t)
M-x package-list-packages RET
M-x package-refresh-contents RET
and didn't get any error.
>> So, the signature by GNU ELPA Signing Agent (the key in
>> etc/package-keyring.gpg) is fine. However, there is a second key
>> involved, for which the public key 066DAFCB81E42C40 is unavailable from
>> any public keyserver that I have tried.
It's a brand new key that is now in etc/package-keyring.gpg in the
`master` branch of Emacs, as well as in the `gnu-elpa-keyring-update`
package in GNU ELPA.
This is because the key 474F05837FBDEF9B is about to expire (it's
really high time we start preparing for the new key).
>> Needless to say, it's not available in etc/package-keyring.gpg
>> either. Since I do not have the public key, the signature
>> verification fails.
Yes, it's normal that the second signature can't be verified until you
install the new key, but that shouldn't cause an error in
package-install or package-refresh-contents. At least that's what my
tests lead me to believe.
Stefan
next prev parent reply other threads:[~2019-04-24 19:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 12:56 bug#35414: 26.2; ELPA packages signed with second, unknown key Brandon Invergo
2019-04-24 16:08 ` Glenn Morris
2019-04-24 19:36 ` Stefan Monnier [this message]
2019-04-24 22:03 ` Brandon Invergo
2019-04-24 22:36 ` Stefan Monnier
2019-04-24 23:02 ` Stefan Monnier
2019-04-24 23:07 ` Glenn Morris
2019-04-25 6:23 ` Eli Zaretskii
2019-05-08 17:20 ` Stefan Monnier
2019-04-25 8:36 ` Brandon Invergo
2019-09-30 22:02 ` Stefan Kangas
2019-09-30 23:27 ` Stefan Monnier
2020-01-25 17:12 ` Stefan Kangas
2020-01-25 17:31 ` Stefan Monnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=jwvsgu7p5ui.fsf-monnier+emacs@gnu.org \
--to=monnier@iro.umontreal.ca \
--cc=35414@debbugs.gnu.org \
--cc=brandon@invergo.net \
--cc=rgm@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).