* Missing public key when checking signature of my emacs lisp package
@ 2016-10-22 21:38 Дронов Евгений
2016-10-24 0:23 ` Stefan Monnier
0 siblings, 1 reply; 4+ messages in thread
From: Дронов Евгений @ 2016-10-22 21:38 UTC (permalink / raw)
To: help-gnu-emacs
Greetings to GNU Emacs support! I'm making emacs-lisp package (library) and i want it to be uploaded to emacs default package-archive http://elpa.gnu.org soon.
But before doing so i've decided to upload it to my local package-archive (directory on my computer) and check the experience that any person can get trying to install my package.
Unfortunately, when i try to install it from my local package-archive i get the message:
Failed to verify signature MyPackageName.tar.sig:
No public key for key-id created at 2016-10-22T23:42:29+0300 using RSA
I don't understand why it doesn't find public key. I've created my key-pair using "gpg gen-key" command. Signed my package .tar file with command "gpg -ba -o MyPackageName.tar.sig MyPackageName.tar". Copied output of command "gpg --export -a key-id" to clipboard. Pasted it in 'Submit a key' form in http://pgp.mit.edu/ and submitted - so my public key should be available for everyone right now. But signature - checking at the installation of my package fails. I don't understand , why?
Maybe my whole signing sequence is wrong, i don't know. Emacs-lisp packaging documentation doesn't say much about this. Emacs EasyPG Assistant also doesn't help because its basic signing commands give me .gpg-file signatures but it seems that
emacs package installator can only read .sig-file signatures.
What am i doing wrong? Please help me!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Missing public key when checking signature of my emacs lisp package
2016-10-22 21:38 Дронов Евгений
@ 2016-10-24 0:23 ` Stefan Monnier
0 siblings, 0 replies; 4+ messages in thread
From: Stefan Monnier @ 2016-10-24 0:23 UTC (permalink / raw)
To: help-gnu-emacs
> What am i doing wrong? Please help me!
Nothing, really. But Emacs doesn't just check that the signature is
valid: it checks that the code is signed by a trusted authority.
IOW it only accepts signatures from the keys listed in its own keyring,
i.e. those in ~/.emacs.d/elpa/gnupg/pubring.gpg (which is initialized
from e.g. /usr/share/emacs/24.5/etc/package-keyring.gpg).
So you need to manually add your key to that keyring.
Stefan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Missing public key when checking signature of my emacs lisp package
@ 2016-10-24 3:17 Дронов Евгений
2016-10-26 14:09 ` Stefan Monnier
0 siblings, 1 reply; 4+ messages in thread
From: Дронов Евгений @ 2016-10-24 3:17 UTC (permalink / raw)
To: help-gnu-emacs
> it only accepts signatures from the keys listed in its own keyring,
i.e. those in
> ~/.emacs.d/elpa/gnupg/pubring.gpg (which is initialized from e.g.
/usr/share/emacs/
> 24.5/etc/package-keyring.gpg). So you need to manually add your key
to that keyring.
Ah-huh... Can i assume that i don't even need to sign my package if i'm
going to upload it to emacs default package-archive
http://elpa.gnu.org. Will it be signed with some sort of
"Free Software Foundation private key" automatically? And that "Free
Software Foundation private key" has its public counterpart exactly in
emacs internal package-keyring.gpg? I think so, since emacs regular
command for uploading packages "package-upload-file" doesn't even
accept any .sig or .gpg files, just .el or .tar files instead. Am i
right?
Eugene Dronov
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Missing public key when checking signature of my emacs lisp package
2016-10-24 3:17 Missing public key when checking signature of my emacs lisp package Дронов Евгений
@ 2016-10-26 14:09 ` Stefan Monnier
0 siblings, 0 replies; 4+ messages in thread
From: Stefan Monnier @ 2016-10-26 14:09 UTC (permalink / raw)
To: help-gnu-emacs
> Ah-huh... Can i assume that i don't even need to sign my package if i'm
> going to upload it to emacs default package-archive
> http://elpa.gnu.org.
GNU ELPA doesn't work by uploading packages: it's not just
a distribution site. Instead, you push your code to elpa.git and the
GNU ELPA packages are then built from that by a set of scripts.
So there's no occasion for you to sign your packages.
> Will it be signed with some sort of "Free Software Foundation
> private key" automatically?
Exactly, tho I called it the "GNU ELPA Signing Agent" since the FSF
doesn't really have anything to do with it (they provide "hosting
and philosophical guidance", of course).
> And that "Free Software Foundation private key" has its public
> counterpart exactly in emacs internal package-keyring.gpg?
That's right.
Stefan
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-10-26 14:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-24 3:17 Missing public key when checking signature of my emacs lisp package Дронов Евгений
2016-10-26 14:09 ` Stefan Monnier
-- strict thread matches above, loose matches on Subject: below --
2016-10-22 21:38 Дронов Евгений
2016-10-24 0:23 ` Stefan Monnier
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.