From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Sun, 23 Jun 2013 12:41:32 -0400 Message-ID: References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87zk0ljaub.fsf@lifelogs.com> <87wqvng299.fsf@lifelogs.com> <87ip77y2s9.fsf@Rainer.invalid> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1372005701 4197 80.91.229.3 (23 Jun 2013 16:41:41 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 23 Jun 2013 16:41:41 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jun 23 18:41:41 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1UqnMC-0004h6-7T for ged-emacs-devel@m.gmane.org; Sun, 23 Jun 2013 18:41:40 +0200 Original-Received: from localhost ([::1]:35303 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UqnMB-000224-Q3 for ged-emacs-devel@m.gmane.org; Sun, 23 Jun 2013 12:41:39 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:38680) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UqnM6-0001uo-Ua for emacs-devel@gnu.org; Sun, 23 Jun 2013 12:41:36 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UqnM5-0001zz-SL for emacs-devel@gnu.org; Sun, 23 Jun 2013 12:41:34 -0400 Original-Received: from ironport2-out.teksavvy.com ([206.248.154.182]:37980) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UqnM5-0001zp-PM for emacs-devel@gnu.org; Sun, 23 Jun 2013 12:41:33 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av4EABK/CFFMCppA/2dsb2JhbABEvw4Xc4IeAQEEAVYoCws0EhQYDYhCBsEtjWGDKQOkeoFegxM X-IPAS-Result: Av4EABK/CFFMCppA/2dsb2JhbABEvw4Xc4IeAQEEAVYoCws0EhQYDYhCBsEtjWGDKQOkeoFegxM X-IronPort-AV: E=Sophos;i="4.84,565,1355115600"; d="scan'208";a="16990621" Original-Received: from 76-10-154-64.dsl.teksavvy.com (HELO pastel.home) ([76.10.154.64]) by ironport2-out.teksavvy.com with ESMTP/TLS/ADH-AES256-SHA; 23 Jun 2013 12:41:27 -0400 Original-Received: by pastel.home (Postfix, from userid 20848) id 41ABB6336B; Sun, 23 Jun 2013 12:41:32 -0400 (EDT) In-Reply-To: (Ted Zlatanov's message of "Sun, 23 Jun 2013 07:58:31 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 206.248.154.182 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:160911 Archived-At: TZ> etc/elpa/ARCHIVE-NAME can contain the actual armored GPG signature but TZ> it can also have more metadata about the archive. So the format could TZ> be: TZ> url=ARCHIVE-URL TZ> other-metadata=whatever TZ> then-a-new-line=ends metadata TZ> SIGNATURE TZ> and if SIGNATURE is missing, the archive is not signed. Hmm... I'm not sure I understand the issues here. IIUC Debian uses a GPG keyring. What's the difference?Also, you talk about the signature here, whereas I think "an archive has a key, each package has a signature". > For now I'm using the old format. Archives are signed by default as > requested. I've rebased the patch against the changes to package.el. I think the list of signed/unsigned archives should be managed dynamically/automatically: if a signature is missing, ask the user if she thinks it's normal, and if so, place the archive into a list of "unsigned archives", so the question is not repeated. But every time we access the archive, we still try to get the a signature. If we do find a signature, then remove the archive from the "unsigned archives" list. > Finally, for easier testing I think we should put a fake archive with 1 > package in test/elpa/packages. Sure. > I didn't do it because Stefan mentioned Daniel Hackney's changes > included some testing code and I didn't want to confuse matters. You could install Daniel's tests before adding your own. TZ> Using EPG functions, however, I could not figure out how to verify with TZ> an external public GPG key. I don't see that option with any of the TZ> context functions. Perhaps someone knows? Without that option, the TZ> user has to explicitly load the maintainer's public GPG key, which is TZ> very impractical around package.el. > I need to know the above to make the patch usable, so I won't commit for > now. I don't understand the question, sadly. > Also the signature has to be named .gpgsig because the extension .gpg > (the default) makes EPA/EPG attempt to decrypt it. ".gpgsig" is fine, as is ".sig". Are you talking about the packages's signatures, or about some ~/.emacs.d/elpa/archive/key.gpgsig? Stefan