On Tue, 14 May 2019 at 09:10, Noam Postavsky <npostavs@gmail.com> wrote:

> Eli Zaretskii <eliz@gnu.org> writes:
>
> > and we don't even know whether emacs-26 will be
> > used for another "regular" release.
>
> So, I'm thinking we should be aiming for another "regular" release
> around September, when the GNU ELPA package signing key expires.  After
> that, people downloading Emacs 26.2 won't be able to install GNU ELPA
> packages without either disabling signature checking, or manually
> installing the new key.
>
> https://debbugs.gnu.org/35414
> https://elpa.gnu.org/packages/gnu-elpa-keyring-update.html


The signature checking has never worked anyway, though. Will having a newer
signature make a difference? If I rename my .emacs.d/ and run "emacs"
(master),
then "M-x package-list", I get this:

Failed to verify signature archive-contents.sig:
Bad signature from 474F05837FBDEF9B GNU ELPA Signing Agent (2014) <
elpasign@elpa.gnu.org>
Command output:
gpg: Signature made 05/14/19 10:10:03 GMT Summer Time
gpg:                using DSA key CA442C00F91774F17F59D9B0474F05837FBDEF9B
gpg: BAD signature from "GNU ELPA Signing Agent (2014) <
elpasign@elpa.gnu.org>" [unknown]

This is on Windows, with gpg 2.2.11 on the path.