all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Urgent matter with GNU ELPA keys
@ 2019-02-11 14:17 Stefan Monnier
  2019-02-11 15:27 ` Andreas Schwab
  2019-02-11 22:19 ` Phillip Lord
  0 siblings, 2 replies; 4+ messages in thread
From: Stefan Monnier @ 2019-02-11 14:17 UTC (permalink / raw)
  To: emacs-devel

I just saw that the GNU ELPA signing key that we distribute with Emacs
(stored in etc/package-keyring.gpg) will expire in September.

It's easy to change elpa.gnu.org to sign with a new key, but the hard
part that we need to take care of ASAP is to figure out how we're going
to let users of already-distributed Emacsen access GNU ELPA when that
new key is used.

My GPG-fu is rather weak, so I need help,


        Stefan




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Urgent matter with GNU ELPA keys
  2019-02-11 14:17 Urgent matter with GNU ELPA keys Stefan Monnier
@ 2019-02-11 15:27 ` Andreas Schwab
  2019-02-11 15:52   ` Amin Bandali
  2019-02-11 22:19 ` Phillip Lord
  1 sibling, 1 reply; 4+ messages in thread
From: Andreas Schwab @ 2019-02-11 15:27 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

On Feb 11 2019, Stefan Monnier <monnier@iro.umontreal.ca> wrote:

> I just saw that the GNU ELPA signing key that we distribute with Emacs
> (stored in etc/package-keyring.gpg) will expire in September.
>
> It's easy to change elpa.gnu.org to sign with a new key, but the hard
> part that we need to take care of ASAP is to figure out how we're going
> to let users of already-distributed Emacsen access GNU ELPA when that
> new key is used.
>
> My GPG-fu is rather weak, so I need help,

You can edit a key to extend its expiration date (if you have the secret
key, of course).

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Urgent matter with GNU ELPA keys
  2019-02-11 15:27 ` Andreas Schwab
@ 2019-02-11 15:52   ` Amin Bandali
  0 siblings, 0 replies; 4+ messages in thread
From: Amin Bandali @ 2019-02-11 15:52 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: Stefan Monnier, emacs-devel


On 2019-02-11  4:27 PM, Andreas Schwab wrote:

[...]

> You can edit a key to extend its expiration date (if you have the secret
> key, of course).
>

Indeed.  One would do `gpg --edit-key <keyid>', then use `expire' to set
the expiry of the main key.  If there are any subkeys (which I don’t
think is the case here, but anyway), one can toggle their selection
using the `key <number>' command where <number> is the 1-based index of
the order in which the subkey appears.

If I understand correctly, package.el imports the key(s) from the
etc/package-keyring.gpg file shipped with Emacs as you mentioned.  So
the first step would indeed be updating that file to ship the key with
the extended expiry date for future releases.  As for users of current
versions, however, I’m not sure what would be the best way to proceed.
For users of current versions, at some point they would have to re-fetch
the key to have its expiry date updated.  We could instruct them to do
so by invoking gpg with the right options (for settings the correct gpg
home directory and the right keyring), but I’m guessing that would
require root access in most cases (since the shipped keyring file would
likely have been installed by a system package manager in a location
that cannot be written to by regular users)?

For future versions, though, I wonder if it’d be a good idea to add a
function in package.el to aid with re-fetching the key.  Though even
then we’d still have to think about the root access requirement issue
for updating the shipped keyring.



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Urgent matter with GNU ELPA keys
  2019-02-11 14:17 Urgent matter with GNU ELPA keys Stefan Monnier
  2019-02-11 15:27 ` Andreas Schwab
@ 2019-02-11 22:19 ` Phillip Lord
  1 sibling, 0 replies; 4+ messages in thread
From: Phillip Lord @ 2019-02-11 22:19 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Stefan Monnier <monnier@iro.umontreal.ca> writes:

> I just saw that the GNU ELPA signing key that we distribute with Emacs
> (stored in etc/package-keyring.gpg) will expire in September.
>
> It's easy to change elpa.gnu.org to sign with a new key, but the hard
> part that we need to take care of ASAP is to figure out how we're going
> to let users of already-distributed Emacsen access GNU ELPA when that
> new key is used.
>
> My GPG-fu is rather weak, so I need help,


Write a package called "package-keys.el" which includes the new
key. Sign it with the existing key distributed with Emacs.

Of course, this will have what you might call a reverse bootstrap
problem -- users will need to install package-keys.el before they key
runs out, but they won't know that they need to do this till the key
runs out. After this, Emacs will refuse to install the package that it
needs to allow the installation. Only solution I can see here would be
to put some code that people can eval in *scratch* that bypasses the key
signing thing.

Long term solution would be an auto-updating and installing version of
package-keys.el and maybe package.el. This would have practical problems
(because ELPA doesn't support multiple versions of packages). I expect
Richard would object also.

Phil



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-02-11 22:19 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-11 14:17 Urgent matter with GNU ELPA keys Stefan Monnier
2019-02-11 15:27 ` Andreas Schwab
2019-02-11 15:52   ` Amin Bandali
2019-02-11 22:19 ` Phillip Lord

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.