On Tue, 08 Jan 2013 15:59:33 -0500 Stefan Monnier wrote: >>> Actually, I see a problem with this scheme, now that we also keep around >>> older versions of the packages. So maybe it's better to keep the >>> signatures in a separate file, next to the signed file (e.g. have foo.tar >>> and foo.tar.gpgsig). >> Then maybe the file listed in the package vector should be the *.gpgsig >> one, since otherwise it becomes easy to bypass the check by filtering >> out any traces of the signature file. SM> Right, we'd need to indicate somewhere that the sig should be SM> present, indeed. SM> A simple way to do that is to tell package.el directly, e.g. via SM> `package-archives' or just by declaring that all ELPA archives should SM> always have such signatures (they're pretty easy to add, so I'd expect SM> marmalade and melpa to adjust pretty quickly). Please see the attached patch. The code is not ready for testing, it's just for review before I implement things further. Changes: * add `package-signed-archives', a list of logical archive names with default '("gnu"). Add `package-archive-signed-p' to check it. * change `package--with-work-buffer' to take an archive entry instead of just the location. When an archive is `package-archive-signed-p', create a signing buffer and load the archive filename with ".gpgsig" appended. Then call `package--verify-signature' on the package buffer and the signing buffer. If it fails, do `y-or-n-p', and if the user rejects, error out. * `package--verify-signature' is mocked to t right now, but will check the maintainer signature. * `package-download-single' and `package-download-tar' now pass the archive entry, not just the location, to `package--with-work-buffer' * rename `package-archive-base' to `package-archive-for' * installable packages say "signed" or "unsigned" before the archive name If you're OK with the code changes I'll get them working and start implementing `package--verify-signature'. Ted