Re: [PATCH] package.el: check tarball signature

[Ted Zlatanov <tzz@lifelogs.com>]

On Mon, 30 Sep 2013 15:48:16 -0400 Daiki Ueno <ueno@gnu.org> wrote: 

DU> Well, I still don't understand why this is advertised as such a
DU> difficult problem, particularly why package.el would need sign operation
DU> with Emacs.  Am I missing something?

Yes, I think so.  Checking package signatures in general was mostly
resolved back in June 2013, I simply didn't have time to work on it
until just now.  When I wanted to play with it over the weekend, the
GnuPG 2.0.20 behavior annoyed me enough that I complained about it and
am planning to expose the libnettle functions ASAP so we don't have to
depend on GnuPG.

The difficult part has been specifying the desired behavior, not
implementing it.

Perhaps you can look at
http://thread.gmane.org/gmane.emacs.devel/155400/focus=160631 and look
at my patch there and the surrounding discussion for background.  Stefan
participated and advised me on most of the desired features.

DU> Perhaps it might make sense to discuss with some code.  Here it is.

DU> The code verifies a detached signature NAME-VERSION.tar.sig with a
DU> trusted keyring located under ~/.emacs.d/elpa/gnupg/.  That's it.

The signed/unsigned status needs to be shown in the package listing.
Some archives are signed, some aren't.  Any file from an archive, not
just a package tarball, should be signed (especially the package index).

The management of the special gnupg keychain needs to be abstracted.
Signatures should be generated from inside Emacs.

In addition I started on the EPG interaction you've finished, so you can
probably start with my patch and fix the EPG-related pieces and any
other issues instead of writing your own.

DU> For uploading packages, we could simply use the same mechanism as
DU> gnupload in Gnulib.

DU> It's actually a 10-minute work at an airport lobby and tested only with
DU> the local package archive.

Your help is very welcome.

Ted