* Urgent matter with GNU ELPA keys
@ 2019-02-11 14:17 Stefan Monnier
2019-02-11 15:27 ` Andreas Schwab
2019-02-11 22:19 ` Phillip Lord
0 siblings, 2 replies; 4+ messages in thread
From: Stefan Monnier @ 2019-02-11 14:17 UTC (permalink / raw)
To: emacs-devel
I just saw that the GNU ELPA signing key that we distribute with Emacs
(stored in etc/package-keyring.gpg) will expire in September.
It's easy to change elpa.gnu.org to sign with a new key, but the hard
part that we need to take care of ASAP is to figure out how we're going
to let users of already-distributed Emacsen access GNU ELPA when that
new key is used.
My GPG-fu is rather weak, so I need help,
Stefan
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Urgent matter with GNU ELPA keys
2019-02-11 14:17 Urgent matter with GNU ELPA keys Stefan Monnier
@ 2019-02-11 15:27 ` Andreas Schwab
2019-02-11 15:52 ` Amin Bandali
2019-02-11 22:19 ` Phillip Lord
1 sibling, 1 reply; 4+ messages in thread
From: Andreas Schwab @ 2019-02-11 15:27 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
On Feb 11 2019, Stefan Monnier <monnier@iro.umontreal.ca> wrote:
> I just saw that the GNU ELPA signing key that we distribute with Emacs
> (stored in etc/package-keyring.gpg) will expire in September.
>
> It's easy to change elpa.gnu.org to sign with a new key, but the hard
> part that we need to take care of ASAP is to figure out how we're going
> to let users of already-distributed Emacsen access GNU ELPA when that
> new key is used.
>
> My GPG-fu is rather weak, so I need help,
You can edit a key to extend its expiration date (if you have the secret
key, of course).
Andreas.
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Urgent matter with GNU ELPA keys
2019-02-11 15:27 ` Andreas Schwab
@ 2019-02-11 15:52 ` Amin Bandali
0 siblings, 0 replies; 4+ messages in thread
From: Amin Bandali @ 2019-02-11 15:52 UTC (permalink / raw)
To: Andreas Schwab; +Cc: Stefan Monnier, emacs-devel
On 2019-02-11 4:27 PM, Andreas Schwab wrote:
[...]
> You can edit a key to extend its expiration date (if you have the secret
> key, of course).
>
Indeed. One would do `gpg --edit-key <keyid>', then use `expire' to set
the expiry of the main key. If there are any subkeys (which I don’t
think is the case here, but anyway), one can toggle their selection
using the `key <number>' command where <number> is the 1-based index of
the order in which the subkey appears.
If I understand correctly, package.el imports the key(s) from the
etc/package-keyring.gpg file shipped with Emacs as you mentioned. So
the first step would indeed be updating that file to ship the key with
the extended expiry date for future releases. As for users of current
versions, however, I’m not sure what would be the best way to proceed.
For users of current versions, at some point they would have to re-fetch
the key to have its expiry date updated. We could instruct them to do
so by invoking gpg with the right options (for settings the correct gpg
home directory and the right keyring), but I’m guessing that would
require root access in most cases (since the shipped keyring file would
likely have been installed by a system package manager in a location
that cannot be written to by regular users)?
For future versions, though, I wonder if it’d be a good idea to add a
function in package.el to aid with re-fetching the key. Though even
then we’d still have to think about the root access requirement issue
for updating the shipped keyring.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Urgent matter with GNU ELPA keys
2019-02-11 14:17 Urgent matter with GNU ELPA keys Stefan Monnier
2019-02-11 15:27 ` Andreas Schwab
@ 2019-02-11 22:19 ` Phillip Lord
1 sibling, 0 replies; 4+ messages in thread
From: Phillip Lord @ 2019-02-11 22:19 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Stefan Monnier <monnier@iro.umontreal.ca> writes:
> I just saw that the GNU ELPA signing key that we distribute with Emacs
> (stored in etc/package-keyring.gpg) will expire in September.
>
> It's easy to change elpa.gnu.org to sign with a new key, but the hard
> part that we need to take care of ASAP is to figure out how we're going
> to let users of already-distributed Emacsen access GNU ELPA when that
> new key is used.
>
> My GPG-fu is rather weak, so I need help,
Write a package called "package-keys.el" which includes the new
key. Sign it with the existing key distributed with Emacs.
Of course, this will have what you might call a reverse bootstrap
problem -- users will need to install package-keys.el before they key
runs out, but they won't know that they need to do this till the key
runs out. After this, Emacs will refuse to install the package that it
needs to allow the installation. Only solution I can see here would be
to put some code that people can eval in *scratch* that bypasses the key
signing thing.
Long term solution would be an auto-updating and installing version of
package-keys.el and maybe package.el. This would have practical problems
(because ELPA doesn't support multiple versions of packages). I expect
Richard would object also.
Phil
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-02-11 22:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-11 14:17 Urgent matter with GNU ELPA keys Stefan Monnier
2019-02-11 15:27 ` Andreas Schwab
2019-02-11 15:52 ` Amin Bandali
2019-02-11 22:19 ` Phillip Lord
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).