From: Jean Louis <bugs@gnu.support>
To: Bastien <bzg@gnu.org>
Cc: emacs-orgmode@gnu.org
Subject: Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
Date: Thu, 5 Nov 2020 21:18:42 +0300 [thread overview]
Message-ID: <X6RCAq/XTNUg/IfJ@protected.rcdrun.com> (raw)
In-Reply-To: <87361nwwld.fsf@gnu.org>
* Bastien <bzg@gnu.org> [2020-11-05 20:19]:
> Hi Jean Louis,
>
> Jean Louis <bugs@gnu.support> writes:
>
> > GNU ELPA provides signed archive-contents. Org should provide it too,
> > isn't it?
>
> can you let us know what are the steps involved in signing
> the archive-contents file?
This I find out as I have the variable `package-check-signature'
turned on. Majority who are getting Emacs with value `allow-unsigned'
will not even see that.
Documentation:
Non-nil means to check package signatures when installing.
More specifically the value can be:
- nil: package signatures are ignored.
- `allow-unsigned': install a package even if it is unsigned, but
if it is signed, we have the key for it, and OpenGPG is
installed, verify the signature.
- t: accept a package only if it comes with at least one verified signature.
- `all': same as t, except when the package has several signatures,
in which case we verify all the signatures.
You may probably automate it. It is in the Emacs Lisp manual:
41.4 Creating and Maintaining Package Archives
==============================================
One way to increase the security of your packages is to “sign” them
using a cryptographic key. If you have generated a private/public gpg
key pair, you can use gpg to sign the package like this:
gpg -ba -o FILE.sig FILE
For a single-file package, FILE is the package Lisp file; for a
multi-file package, it is the package tar file. You can also sign the
archive’s contents file in the same way. Make the ‘.sig’ files
available in the same location as the packages. You should also make
your public key available for people to download; e.g., by uploading it
to a key server such as <https://pgp.mit.edu/>. When people install
packages from your archive, they can use your public key to verify the
signatures.
A full explanation of these matters is outside the scope of this
manual. For more information on cryptographic keys and signing, *note
GnuPG: (gnupg)Top. Emacs comes with an interface to GNU Privacy Guard,
*note EasyPG: (epa)Top.
next prev parent reply other threads:[~2020-11-05 18:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-05 16:59 Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)] Jean Louis
2020-11-05 17:18 ` Bastien
2020-11-05 18:18 ` Jean Louis [this message]
2020-11-05 19:58 ` Bastien
2020-11-05 21:42 ` Jean Louis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=X6RCAq/XTNUg/IfJ@protected.rcdrun.com \
--to=bugs@gnu.support \
--cc=bzg@gnu.org \
--cc=emacs-orgmode@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).