From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Daiki Ueno <ueno@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: [PATCH] package.el: check tarball signature
Date: Wed, 02 Oct 2013 16:16:04 +0900
Message-ID: <87fvsk9m8b.fsf-ueno@gnu.org>
References: <m3eh863xbz.fsf-ueno@gnu.org> <874n92x9em.fsf@flea.lifelogs.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1380698177 5525 80.91.229.3 (2 Oct 2013 07:16:17 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 2 Oct 2013 07:16:17 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Oct 02 09:16:22 2013
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VRGfU-0002Dq-AX
	for ged-emacs-devel@m.gmane.org; Wed, 02 Oct 2013 09:16:20 +0200
Original-Received: from localhost ([::1]:34242 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VRGfT-0004BN-IV
	for ged-emacs-devel@m.gmane.org; Wed, 02 Oct 2013 03:16:19 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45891)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ueno@gnu.org>) id 1VRGfP-000487-7Z
	for emacs-devel@gnu.org; Wed, 02 Oct 2013 03:16:16 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ueno@gnu.org>) id 1VRGfK-0005fy-3d
	for emacs-devel@gnu.org; Wed, 02 Oct 2013 03:16:15 -0400
Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42754)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ueno@gnu.org>)
	id 1VRGfJ-0005fr-Vt
	for emacs-devel@gnu.org; Wed, 02 Oct 2013 03:16:10 -0400
Original-Received: from du-a.org ([2001:e41:db5e:fb14::1]:37566 helo=debian)
	by fencepost.gnu.org with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <ueno@gnu.org>) id 1VRGfJ-0001Xu-AR
	for emacs-devel@gnu.org; Wed, 02 Oct 2013 03:16:09 -0400
In-Reply-To: <874n92x9em.fsf@flea.lifelogs.com> (Ted Zlatanov's message of
	"Mon, 30 Sep 2013 17:54:41 -0400")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-Received-From: 2001:4830:134:3::e
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:163795
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/163795>

Ted Zlatanov <tzz@lifelogs.com> writes:

> Perhaps you can look at
> http://thread.gmane.org/gmane.emacs.devel/155400/focus=160631 and look
> at my patch there and the surrounding discussion for background.  Stefan
> participated and advised me on most of the desired features.
>
> DU> Perhaps it might make sense to discuss with some code.  Here it is.
>
> DU> The code verifies a detached signature NAME-VERSION.tar.sig with a
> DU> trusted keyring located under ~/.emacs.d/elpa/gnupg/.  That's it.
>
> The signed/unsigned status needs to be shown in the package listing.
> Some archives are signed, some aren't.  Any file from an archive, not
> just a package tarball, should be signed (especially the package index).

Done in my latest patch.

> The management of the special gnupg keychain needs to be abstracted.
> Signatures should be generated from inside Emacs.

I've read the discussion and patches, but it's still unclear to me.
Your latest(?) patch (package-archive-signed-3.patch) has
package--create-detached-signature, but nobody calls it.  For what
purpose would you need signature generation?

Perhaps you wanted to sign locally to toggle "unsigned" status to
"signed" status?  Then why it's not sufficient to just mark the package
as "unsigned" and ask package creaters to sign and upload?

Or, perhaps you wanted to develop a user interface to upload tarballs
with signature?  Then it should be go into package-x.el instead of
package.el, I suppose.

Anyway, I'm a bit surprised that there are few researches of existing
packaging systems which already utilize GPG signature, such as Debian
and Fedora.  AFAIK, those systems do not require signing operation in
their installer UI.

> In addition I started on the EPG interaction you've finished, so you can
> probably start with my patch and fix the EPG-related pieces and any
> other issues instead of writing your own.

I'm sorry, I couldn't find anything I can reuse in your patch.  It even
succeeds signature verification when GPG reports bad signatures.  Also,
why did you choose ".gpgsig" extension rather than ".sig", which has
already been used on ftp.gnu.org for a decade?  And I think it's too
much to modify package--with-work-buffer to check signatures of all
files downloaded.

Regards,
-- 
Daiki Ueno