From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Brandon Invergo Newsgroups: gmane.emacs.bugs Subject: bug#35414: 26.2; ELPA packages signed with second, unknown key Date: Wed, 24 Apr 2019 13:56:00 +0100 Message-ID: <87mukfsgtb.fsf@invergo.net> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="261265"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: mu4e 1.2.0; emacs 26.2 To: 35414@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Apr 24 15:18:26 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1hJHn7-0015qK-Fb for geb-bug-gnu-emacs@m.gmane.org; Wed, 24 Apr 2019 15:18:26 +0200 Original-Received: from localhost ([127.0.0.1]:41582 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hJHn6-0002JM-DW for geb-bug-gnu-emacs@m.gmane.org; Wed, 24 Apr 2019 09:18:24 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:52528) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hJHmp-0002Fm-PE for bug-gnu-emacs@gnu.org; Wed, 24 Apr 2019 09:18:11 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hJHmM-0005uU-0A for bug-gnu-emacs@gnu.org; Wed, 24 Apr 2019 09:17:39 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:41743) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hJHSP-00067i-Rr for bug-gnu-emacs@gnu.org; Wed, 24 Apr 2019 08:57:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hJHSP-0001L9-O7 for bug-gnu-emacs@gnu.org; Wed, 24 Apr 2019 08:57:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Brandon Invergo Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 24 Apr 2019 12:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 35414 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.15561105795092 (code B ref -1); Wed, 24 Apr 2019 12:57:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 24 Apr 2019 12:56:19 +0000 Original-Received: from localhost ([127.0.0.1]:55287 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hJHRi-0001K2-K2 for submit@debbugs.gnu.org; Wed, 24 Apr 2019 08:56:19 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:60877) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hJHRh-0001Jr-CB for submit@debbugs.gnu.org; Wed, 24 Apr 2019 08:56:17 -0400 Original-Received: from lists.gnu.org ([209.51.188.17]:37228) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hJHRb-0004i5-LD for submit@debbugs.gnu.org; Wed, 24 Apr 2019 08:56:12 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:47015) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hJHRa-0001ql-6K for bug-gnu-emacs@gnu.org; Wed, 24 Apr 2019 08:56:11 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hJHRY-0004eL-Kc for bug-gnu-emacs@gnu.org; Wed, 24 Apr 2019 08:56:10 -0400 Original-Received: from ostrich.birch.relay.mailchannels.net ([23.83.209.138]:37176) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hJHRX-0004by-Vh for bug-gnu-emacs@gnu.org; Wed, 24 Apr 2019 08:56:08 -0400 X-Sender-Id: dreamhost|x-authsender|brandon@invergo.net Original-Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id B6A165C50DE for ; Wed, 24 Apr 2019 12:56:03 +0000 (UTC) Original-Received: from pdx1-sub0-mail-a88.g.dreamhost.com (unknown [100.96.28.64]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 4964B5C4EED for ; Wed, 24 Apr 2019 12:56:03 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|brandon@invergo.net Original-Received: from pdx1-sub0-mail-a88.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.17.2); Wed, 24 Apr 2019 12:56:03 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|brandon@invergo.net X-MailChannels-Auth-Id: dreamhost X-Daffy-Soft: 1ca46dc44f65af17_1556110563465_3263503172 X-MC-Loop-Signature: 1556110563464:3744401586 X-MC-Ingress-Time: 1556110563464 Original-Received: from pdx1-sub0-mail-a88.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a88.g.dreamhost.com (Postfix) with ESMTP id DD7E98089C for ; Wed, 24 Apr 2019 05:56:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=invergo.net; h=from:to :subject:date:message-id:mime-version:content-type; s= invergo.net; bh=Tb0HELWZRIAg6gxsALKhUuBR9g4=; b=W6JeiKyssZ+U4tnZ GVdjb8EPPXKUwv1jmERg7EomnXQ4S9qjRbCQDasTfwvErmNLBnr7VdN8I5Lq1tIF MST07ZWukRPYnz2PtvauDEJIIcdNmNfSjTHnNj3f/Stwv8WDqSeG1laLPSTci0Df JVcrPo+BkdQ2yhceu2qwSt/0Ubk= Original-Received: from localhost (unknown [144.173.111.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: brandon@invergo.net) by pdx1-sub0-mail-a88.g.dreamhost.com (Postfix) with ESMTPSA id 7433C808A1 for ; Wed, 24 Apr 2019 05:56:02 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a88 X-VR-OUT-STATUS: OK X-VR-OUT-SCORE: 0 X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduuddrhedtgdehkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecunecujfgurhepfgfhvffufffkgggtsehttdertddtredtnecuhfhrohhmpeeurhgrnhguohhnucfknhhvvghrghhouceosghrrghnughonhesihhnvhgvrhhgohdrnhgvtheqnecuffhomhgrihhnpehgnhhurdhorhhgnecukfhppedugeegrddujeefrdduuddurdeileenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedugeegrddujeefrdduuddurdeiledprhgvthhurhhnqdhprghthhepuehrrghnughonhcukfhnvhgvrhhgohcuoegsrhgrnhguohhnsehinhhvvghrghhordhnvghtqedpmhgrihhlfhhrohhmpegsrhgrnhguohhnsehinhhvvghrghhordhnvghtpdhnrhgtphhtthhopegsuhhgqdhgnhhuqdgvmhgrtghssehgnhhurdhorhhgnecuvehluhhsthgvrhfuihiivgeptd X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:158178 Archived-At: Hello, I enabled package.el's signature-checking feature last night (variable package-check-signature; Emacs 26.2). I have imported the keyring at etc/package-keyring.gpg, which contains one key: pub dsa2048 2014-09-24 [SC] [expires: 2019-09-23] CA442C00F91774F17F59D9B0474F05837FBDEF9B uid [ unknown] GNU ELPA Signing Agent GNU ELPA is the only repository that has been enabled (https://elpa.gnu.org/packages). When I execute package-refresh-contents or when I try to install a package from ELPA, it fails with the following error: Failed to verify signature archive-contents.sig: No public key for 066DAFCB81E42C40 created at 2019-04-24T10:15:06+0100 using RSA Good signature from 474F05837FBDEF9B GNU ELPA Signing Agent (trust undefined) created at 2019-04-24T10:15:06+0100 using DSA Command output: gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST gpg: using DSA key CA442C00F91774F17F59D9B0474F05837FBDEF9B gpg: Good signature from "GNU ELPA Signing Agent " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CA44 2C00 F917 74F1 7F59 D9B0 474F 0583 7FBD EF9B gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST gpg: using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40 gpg: Can't check signature: No public key So, the signature by GNU ELPA Signing Agent (the key in etc/package-keyring.gpg) is fine. However, there is a second key involved, for which the public key 066DAFCB81E42C40 is unavailable from any public keyserver that I have tried. Needless to say, it's not available in etc/package-keyring.gpg either. Since I do not have the public key, the signature verification fails. Just to be sure, I've also done it on a fresh installation-from-source with an init.el that is empty apart from setting up package.el. Same results. I have tried this from outside Emacs, by doing, for example: wget https://elpa.gnu.org/packages/delight-1.5.el{,.sig} gpg2 --verify delight-1.5.el.sig This, of course, gives the same result as doing it from within Emacs. I mention it here to demonstrate that the problem is not in Emacs, from what I can tell, but it is strictly due to this second, unknown key signature. For the extra paranoid, I've tried this on three different systems residing on three different networks in two different countries. I'm pretty sure the problem is on the ELPA server and is a result of the standard signing process. However, we can't 100% rule out user incompetence yet (my own, that is), so I am open to suggestions of what else I might try to pin down the source of the problem. Is the public key 066DAFCB81E42C40 available anywhere? Or have I set up something else incorrectly in the verification process? Or is this second signature there erroneously? Thanks! -- -brandon