From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Daiki Ueno Newsgroups: gmane.emacs.devel Subject: Re: [PATCH] package.el: check tarball signature Date: Wed, 02 Oct 2013 16:16:04 +0900 Message-ID: <87fvsk9m8b.fsf-ueno@gnu.org> References: <874n92x9em.fsf@flea.lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1380698177 5525 80.91.229.3 (2 Oct 2013 07:16:17 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 2 Oct 2013 07:16:17 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Oct 02 09:16:22 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VRGfU-0002Dq-AX for ged-emacs-devel@m.gmane.org; Wed, 02 Oct 2013 09:16:20 +0200 Original-Received: from localhost ([::1]:34242 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRGfT-0004BN-IV for ged-emacs-devel@m.gmane.org; Wed, 02 Oct 2013 03:16:19 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45891) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRGfP-000487-7Z for emacs-devel@gnu.org; Wed, 02 Oct 2013 03:16:16 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VRGfK-0005fy-3d for emacs-devel@gnu.org; Wed, 02 Oct 2013 03:16:15 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42754) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRGfJ-0005fr-Vt for emacs-devel@gnu.org; Wed, 02 Oct 2013 03:16:10 -0400 Original-Received: from du-a.org ([2001:e41:db5e:fb14::1]:37566 helo=debian) by fencepost.gnu.org with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1VRGfJ-0001Xu-AR for emacs-devel@gnu.org; Wed, 02 Oct 2013 03:16:09 -0400 In-Reply-To: <874n92x9em.fsf@flea.lifelogs.com> (Ted Zlatanov's message of "Mon, 30 Sep 2013 17:54:41 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::e X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:163795 Archived-At: Ted Zlatanov writes: > Perhaps you can look at > http://thread.gmane.org/gmane.emacs.devel/155400/focus=160631 and look > at my patch there and the surrounding discussion for background. Stefan > participated and advised me on most of the desired features. > > DU> Perhaps it might make sense to discuss with some code. Here it is. > > DU> The code verifies a detached signature NAME-VERSION.tar.sig with a > DU> trusted keyring located under ~/.emacs.d/elpa/gnupg/. That's it. > > The signed/unsigned status needs to be shown in the package listing. > Some archives are signed, some aren't. Any file from an archive, not > just a package tarball, should be signed (especially the package index). Done in my latest patch. > The management of the special gnupg keychain needs to be abstracted. > Signatures should be generated from inside Emacs. I've read the discussion and patches, but it's still unclear to me. Your latest(?) patch (package-archive-signed-3.patch) has package--create-detached-signature, but nobody calls it. For what purpose would you need signature generation? Perhaps you wanted to sign locally to toggle "unsigned" status to "signed" status? Then why it's not sufficient to just mark the package as "unsigned" and ask package creaters to sign and upload? Or, perhaps you wanted to develop a user interface to upload tarballs with signature? Then it should be go into package-x.el instead of package.el, I suppose. Anyway, I'm a bit surprised that there are few researches of existing packaging systems which already utilize GPG signature, such as Debian and Fedora. AFAIK, those systems do not require signing operation in their installer UI. > In addition I started on the EPG interaction you've finished, so you can > probably start with my patch and fix the EPG-related pieces and any > other issues instead of writing your own. I'm sorry, I couldn't find anything I can reuse in your patch. It even succeeds signature verification when GPG reports bad signatures. Also, why did you choose ".gpgsig" extension rather than ".sig", which has already been used on ftp.gnu.org for a decade? And I think it's too much to modify package--with-work-buffer to check signatures of all files downloaded. Regards, -- Daiki Ueno