Missing public key when checking signature of my emacs lisp package

Missing public key when checking signature of my emacs lisp package

[Дронов Евгений]

Greetings to GNU Emacs support! I'm making emacs-lisp package (library) and i want it to be uploaded to emacs default package-archive http://elpa.gnu.org  soon.
But before doing so i've decided to upload it to my local package-archive (directory on my computer) and check the experience that any person can get trying to install my package.

Unfortunately, when i try to install it from my local package-archive i get the message:


Failed to verify signature MyPackageName.tar.sig:
No public key for key-id created at 2016-10-22T23:42:29+0300 using RSA

I don't understand why it doesn't find public key. I've created my key-pair using "gpg gen-key" command. Signed my package .tar file with command "gpg -ba -o MyPackageName.tar.sig MyPackageName.tar". Copied output of command "gpg --export -a key-id" to clipboard. Pasted it in 'Submit a key' form in http://pgp.mit.edu/ and submitted - so my public key should be available for everyone right now. But signature - checking at the installation of my package fails. I don't understand , why?

Maybe my whole signing sequence is wrong, i don't know. Emacs-lisp packaging documentation doesn't say much about this. Emacs EasyPG Assistant also doesn't help because its basic signing commands give me .gpg-file signatures but it seems that
emacs package installator can only read .sig-file signatures. 

What am i doing wrong? Please help me!

Re: Missing public key when checking signature of my emacs lisp package

[Stefan Monnier]

> What am i doing wrong? Please help me!

Nothing, really.  But Emacs doesn't just check that the signature is
valid: it checks that the code is signed by a trusted authority.
IOW it only accepts signatures from the keys listed in its own keyring,
i.e. those in ~/.emacs.d/elpa/gnupg/pubring.gpg (which is initialized
from e.g. /usr/share/emacs/24.5/etc/package-keyring.gpg).

So you need to manually add your key to that keyring.


        Stefan

Re: Missing public key when checking signature of my emacs lisp package

[Дронов Евгений]

   > it only accepts signatures from the keys listed in its own keyring,
   i.e. those in
   > ~/.emacs.d/elpa/gnupg/pubring.gpg (which is initialized from e.g.
   /usr/share/emacs/
   > 24.5/etc/package-keyring.gpg). So you need to manually add your key
   to that keyring.
   Ah-huh... Can i assume that i don't even need to sign my package if i'm
   going to upload it to emacs default package-archive
   http://elpa.gnu.org. Will it be signed with some sort of
   "Free Software Foundation private key" automatically? And that "Free
   Software Foundation private key" has its public counterpart exactly in
   emacs internal package-keyring.gpg? I think so, since emacs regular
   command for uploading packages "package-upload-file" doesn't even
   accept any .sig or .gpg files, just .el or .tar files instead. Am i
   right?
   Eugene Dronov

Re: Missing public key when checking signature of my emacs lisp package

[Stefan Monnier]

>    Ah-huh... Can i assume that i don't even need to sign my package if i'm
>    going to upload it to emacs default package-archive
>    http://elpa.gnu.org.

GNU ELPA doesn't work by uploading packages: it's not just
a distribution site.  Instead, you push your code to elpa.git and the
GNU ELPA packages are then built from that by a set of scripts.

So there's no occasion for you to sign your packages.

>    Will it be signed with some sort of "Free Software Foundation
>    private key" automatically?

Exactly, tho I called it the "GNU ELPA Signing Agent" since the FSF
doesn't really have anything to do with it (they provide "hosting
and philosophical guidance", of course).

>    And that "Free Software Foundation private key" has its public
>    counterpart exactly in emacs internal package-keyring.gpg?

That's right.


        Stefan