emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
* Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
@ 2020-11-05 16:59 Jean Louis
  2020-11-05 17:18 ` Bastien
  0 siblings, 1 reply; 5+ messages in thread
From: Jean Louis @ 2020-11-05 16:59 UTC (permalink / raw)
  To: emacs-orgmode



Remember to cover the basics, that is, what you expected to happen and
what in fact did happen.  You don't know how to make a good report?  See

     https://orgmode.org/manual/Feedback.html#Feedback

Your bug report will be posted to the Org mailing list.
------------------------------------------------------------------------

GNU ELPA provides signed archive-contents. Org should provide it too,
isn't it?

Debugger entered--Lisp error: (error "Unsigned file ‘archive-contents’ at https://orgmod...")
  signal(error ("Unsigned file ‘archive-contents’ at https://orgmod..."))
  error("Unsigned file `%s' at %s" "archive-contents" "https://orgmode.org/elpa/")
  #f(compiled-function () #<bytecode -0x179c076344c8ecb8>)()
  package--with-response-buffer-1("https://orgmode.org/elpa/" #f(compiled-function () #<bytecode 0x1671eec2426510ec>) :file "archive-contents.sig" :async nil :error-function #f(compiled-function () #<bytecode -0x179c076344c8ecb8>) :noerror t)
  package--check-signature("https://orgmode.org/elpa/" "archive-contents" "(1 (org              . [(20201102) ( ) \"Outline-ba..." nil #f(compiled-function (&optional good-sigs) #<bytecode 0xc66829a8690c07e>) #f(compiled-function () #<bytecode 0xbed4c83879878dc>))
  #f(compiled-function () #<bytecode 0x17d5f87be455bb14>)()
  package--with-response-buffer-1("https://orgmode.org/elpa/" #f(compiled-function () #<bytecode 0x17d5f87be455bb14>) :file "archive-contents" :async nil :error-function #f(compiled-function () #<bytecode 0xbed4c83879878dc>) :noerror nil)
  package--download-one-archive(("org" . "https://orgmode.org/elpa/") "archive-contents" nil)
  package--download-and-read-archives(nil)
  package-refresh-contents()
  funcall-interactively(package-refresh-contents)
  call-interactively(package-refresh-contents record nil)
  command-execute(package-refresh-contents record)
  execute-extended-command(nil "package-refresh-contents" nil)
  funcall-interactively(execute-extended-command nil "package-refresh-contents" nil)
  call-interactively(execute-extended-command nil nil)
  command-execute(execute-extended-command)


Emacs  : GNU Emacs 28.0.50 (build 25, x86_64-pc-linux-gnu, X toolkit, cairo version 1.14.8, Xaw3d scroll bars)
 of 2020-11-01
Package: Org mode version 9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)

-- 
Thanks,
Jean Louis
⎔ λ 🄯 𝍄 𝌡 𝌚


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
  2020-11-05 16:59 Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)] Jean Louis
@ 2020-11-05 17:18 ` Bastien
  2020-11-05 18:18   ` Jean Louis
  0 siblings, 1 reply; 5+ messages in thread
From: Bastien @ 2020-11-05 17:18 UTC (permalink / raw)
  To: Jean Louis; +Cc: emacs-orgmode

Hi Jean Louis,

Jean Louis <bugs@gnu.support> writes:

> GNU ELPA provides signed archive-contents. Org should provide it too,
> isn't it?

can you let us know what are the steps involved in signing
the archive-contents file?

Thanks,

-- 
 Bastien


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
  2020-11-05 17:18 ` Bastien
@ 2020-11-05 18:18   ` Jean Louis
  2020-11-05 19:58     ` Bastien
  0 siblings, 1 reply; 5+ messages in thread
From: Jean Louis @ 2020-11-05 18:18 UTC (permalink / raw)
  To: Bastien; +Cc: emacs-orgmode

* Bastien <bzg@gnu.org> [2020-11-05 20:19]:
> Hi Jean Louis,
> 
> Jean Louis <bugs@gnu.support> writes:
> 
> > GNU ELPA provides signed archive-contents. Org should provide it too,
> > isn't it?
> 
> can you let us know what are the steps involved in signing
> the archive-contents file?

This I find out as I have the variable `package-check-signature'
turned on. Majority who are getting Emacs with value `allow-unsigned'
will not even see that.

Documentation:
Non-nil means to check package signatures when installing.
More specifically the value can be:
- nil: package signatures are ignored.
- `allow-unsigned': install a package even if it is unsigned, but
  if it is signed, we have the key for it, and OpenGPG is
  installed, verify the signature.
- t: accept a package only if it comes with at least one verified signature.
- `all': same as t, except when the package has several signatures,
  in which case we verify all the signatures.


You may probably automate it. It is in the Emacs Lisp manual:

41.4 Creating and Maintaining Package Archives
==============================================

   One way to increase the security of your packages is to “sign” them
using a cryptographic key.  If you have generated a private/public gpg
key pair, you can use gpg to sign the package like this:

     gpg -ba -o FILE.sig FILE

For a single-file package, FILE is the package Lisp file; for a
multi-file package, it is the package tar file.  You can also sign the
archive’s contents file in the same way.  Make the ‘.sig’ files
available in the same location as the packages.  You should also make
your public key available for people to download; e.g., by uploading it
to a key server such as <https://pgp.mit.edu/>.  When people install
packages from your archive, they can use your public key to verify the
signatures.

   A full explanation of these matters is outside the scope of this
manual.  For more information on cryptographic keys and signing, *note
GnuPG: (gnupg)Top.  Emacs comes with an interface to GNU Privacy Guard,
*note EasyPG: (epa)Top.



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
  2020-11-05 18:18   ` Jean Louis
@ 2020-11-05 19:58     ` Bastien
  2020-11-05 21:42       ` Jean Louis
  0 siblings, 1 reply; 5+ messages in thread
From: Bastien @ 2020-11-05 19:58 UTC (permalink / raw)
  To: Jean Louis; +Cc: emacs-orgmode

Thanks a lot, that's very useful.

Something I'm not sure: shall we sign only the "archive-contents" file
or both "archive-contents" and "org-YYYYMMDD.tar"?

For the public key of Org ELPA, where would you expect to download it
from? https://orgmode.org/elpa/key.asc or https://pgp.mit.edu or both?

-- 
 Bastien


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]
  2020-11-05 19:58     ` Bastien
@ 2020-11-05 21:42       ` Jean Louis
  0 siblings, 0 replies; 5+ messages in thread
From: Jean Louis @ 2020-11-05 21:42 UTC (permalink / raw)
  To: Bastien; +Cc: emacs-orgmode

* Bastien <bzg@gnu.org> [2020-11-05 22:59]:
> Thanks a lot, that's very useful.
> 
> Something I'm not sure: shall we sign only the "archive-contents" file
> or both "archive-contents" and "org-YYYYMMDD.tar"?
> 
> For the public key of Org ELPA, where would you expect to download it
> from? https://orgmode.org/elpa/key.asc or https://pgp.mit.edu or both?

Also packages shall be signed. So it is in GNU ELPA.

As Org mode is part of Emacs, and you as maintainer signing it, I
would personally expect it to be in ~/.emacs.d/elpa/gnupg where there
is other key from GNU ELPA. But what is best you maybe coordinate with
GNU ELPA maintainers. I think your key should be there in central GNU
ELPA and with that key it should be possible to verify orgmode.org
ELPA as well.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-11-06  9:09 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-05 16:59 Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)] Jean Louis
2020-11-05 17:18 ` Bastien
2020-11-05 18:18   ` Jean Louis
2020-11-05 19:58     ` Bastien
2020-11-05 21:42       ` Jean Louis

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).