On Tue, 14 May 2019 at 22:08, Stefan Monnier <monnier@iro.umontreal.ca>
wrote:

> > The signature checking has never worked anyway, though.
>
> Maybe not for you, but it's supposed to work, and AFAIK it works for
> many people.
>

Oh, sorry. I always assumed this was why package-check-signatures defaulted
to allow-unsigned.


> > Will having a newer
> > signature make a difference? If I rename my .emacs.d/ and run "emacs"
> > (master),
> > then "M-x package-list", I get this:
> >
> > Failed to verify signature archive-contents.sig:
> > Bad signature from 474F05837FBDEF9B GNU ELPA Signing Agent (2014) <
> > elpasign@elpa.gnu.org>
> > Command output:
> > gpg: Signature made 05/14/19 10:10:03 GMT Summer Time
> > gpg:                using DSA key
> CA442C00F91774F17F59D9B0474F05837FBDEF9B
> > gpg: BAD signature from "GNU ELPA Signing Agent (2014) <
> > elpasign@elpa.gnu.org>" [unknown]
> >
> > This is on Windows, with gpg 2.2.11 on the path.
>
> Sounds like a bug.  Could you report it as such, so we can track it
> (and hopefully fix it for 26.3)?
>

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=35739

Thanks.