all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Missing public key when checking signature  of my emacs lisp package
@ 2016-10-22 21:38 Дронов Евгений
  2016-10-24  0:23 ` Stefan Monnier
  0 siblings, 1 reply; 4+ messages in thread
From: Дронов Евгений @ 2016-10-22 21:38 UTC (permalink / raw)
  To: help-gnu-emacs

Greetings to GNU Emacs support! I'm making emacs-lisp package (library) and i want it to be uploaded to emacs default package-archive http://elpa.gnu.org  soon.
But before doing so i've decided to upload it to my local package-archive (directory on my computer) and check the experience that any person can get trying to install my package.

Unfortunately, when i try to install it from my local package-archive i get the message:


Failed to verify signature MyPackageName.tar.sig:
No public key for key-id created at 2016-10-22T23:42:29+0300 using RSA

I don't understand why it doesn't find public key. I've created my key-pair using "gpg gen-key" command. Signed my package .tar file with command "gpg -ba -o MyPackageName.tar.sig MyPackageName.tar". Copied output of command "gpg --export -a key-id" to clipboard. Pasted it in 'Submit a key' form in http://pgp.mit.edu/ and submitted - so my public key should be available for everyone right now. But signature - checking at the installation of my package fails. I don't understand , why?

Maybe my whole signing sequence is wrong, i don't know. Emacs-lisp packaging documentation doesn't say much about this. Emacs EasyPG Assistant also doesn't help because its basic signing commands give me .gpg-file signatures but it seems that
emacs package installator can only read .sig-file signatures. 

What am i doing wrong? Please help me!



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Missing public key when checking signature of my emacs lisp package
  2016-10-22 21:38 Дронов Евгений
@ 2016-10-24  0:23 ` Stefan Monnier
  0 siblings, 0 replies; 4+ messages in thread
From: Stefan Monnier @ 2016-10-24  0:23 UTC (permalink / raw)
  To: help-gnu-emacs

> What am i doing wrong? Please help me!

Nothing, really.  But Emacs doesn't just check that the signature is
valid: it checks that the code is signed by a trusted authority.
IOW it only accepts signatures from the keys listed in its own keyring,
i.e. those in ~/.emacs.d/elpa/gnupg/pubring.gpg (which is initialized
from e.g. /usr/share/emacs/24.5/etc/package-keyring.gpg).

So you need to manually add your key to that keyring.


        Stefan




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Missing public key when checking signature of my emacs lisp package
@ 2016-10-24  3:17 Дронов Евгений
  2016-10-26 14:09 ` Stefan Monnier
  0 siblings, 1 reply; 4+ messages in thread
From: Дронов Евгений @ 2016-10-24  3:17 UTC (permalink / raw)
  To: help-gnu-emacs

   > it only accepts signatures from the keys listed in its own keyring,
   i.e. those in
   > ~/.emacs.d/elpa/gnupg/pubring.gpg (which is initialized from e.g.
   /usr/share/emacs/
   > 24.5/etc/package-keyring.gpg). So you need to manually add your key
   to that keyring.
   Ah-huh... Can i assume that i don't even need to sign my package if i'm
   going to upload it to emacs default package-archive
   http://elpa.gnu.org. Will it be signed with some sort of
   "Free Software Foundation private key" automatically? And that "Free
   Software Foundation private key" has its public counterpart exactly in
   emacs internal package-keyring.gpg? I think so, since emacs regular
   command for uploading packages "package-upload-file" doesn't even
   accept any .sig or .gpg files, just .el or .tar files instead. Am i
   right?
   Eugene Dronov


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Missing public key when checking signature of my emacs lisp package
  2016-10-24  3:17 Missing public key when checking signature of my emacs lisp package Дронов Евгений
@ 2016-10-26 14:09 ` Stefan Monnier
  0 siblings, 0 replies; 4+ messages in thread
From: Stefan Monnier @ 2016-10-26 14:09 UTC (permalink / raw)
  To: help-gnu-emacs

>    Ah-huh... Can i assume that i don't even need to sign my package if i'm
>    going to upload it to emacs default package-archive
>    http://elpa.gnu.org.

GNU ELPA doesn't work by uploading packages: it's not just
a distribution site.  Instead, you push your code to elpa.git and the
GNU ELPA packages are then built from that by a set of scripts.

So there's no occasion for you to sign your packages.

>    Will it be signed with some sort of "Free Software Foundation
>    private key" automatically?

Exactly, tho I called it the "GNU ELPA Signing Agent" since the FSF
doesn't really have anything to do with it (they provide "hosting
and philosophical guidance", of course).

>    And that "Free Software Foundation private key" has its public
>    counterpart exactly in emacs internal package-keyring.gpg?

That's right.


        Stefan




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-10-26 14:09 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-24  3:17 Missing public key when checking signature of my emacs lisp package Дронов Евгений
2016-10-26 14:09 ` Stefan Monnier
  -- strict thread matches above, loose matches on Subject: below --
2016-10-22 21:38 Дронов Евгений
2016-10-24  0:23 ` Stefan Monnier

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.