From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id QPPJJa5GpF9DeAAA0tVLHw (envelope-from ) for ; Thu, 05 Nov 2020 18:38:38 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 4By0Ia5GpF9NVAAAbx9fmQ (envelope-from ) for ; Thu, 05 Nov 2020 18:38:38 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1BB639404C7 for ; Thu, 5 Nov 2020 18:38:38 +0000 (UTC) Received: from localhost ([::1]:48698 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kak9c-00086n-1h for larch@yhetil.org; Thu, 05 Nov 2020 13:38:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:46080) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kak8S-00085l-Fg for emacs-orgmode@gnu.org; Thu, 05 Nov 2020 13:37:25 -0500 Received: from static.rcdrun.com ([95.85.24.50]:42641) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kak8Q-00028Y-HE; Thu, 05 Nov 2020 13:37:24 -0500 Received: from localhost ([::ffff:197.157.0.43]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002A0D02.000000005FA4465D.000063A3; Thu, 05 Nov 2020 18:37:17 +0000 Date: Thu, 5 Nov 2020 21:18:42 +0300 From: Jean Louis To: Bastien Subject: Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)] Message-ID: References: <87361nwwld.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87361nwwld.fsf@gnu.org> User-Agent: Mutt/+ (1036f0e) (2020-10-18) Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/05 08:59:12 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: 16 X-Spam_score: 1.6 X-Spam_bar: + X-Spam_report: (1.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_DOTEDU=1.967 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: 9U0ri54Sb4By * Bastien [2020-11-05 20:19]: > Hi Jean Louis, > > Jean Louis writes: > > > GNU ELPA provides signed archive-contents. Org should provide it too, > > isn't it? > > can you let us know what are the steps involved in signing > the archive-contents file? This I find out as I have the variable `package-check-signature' turned on. Majority who are getting Emacs with value `allow-unsigned' will not even see that. Documentation: Non-nil means to check package signatures when installing. More specifically the value can be: - nil: package signatures are ignored. - `allow-unsigned': install a package even if it is unsigned, but if it is signed, we have the key for it, and OpenGPG is installed, verify the signature. - t: accept a package only if it comes with at least one verified signature. - `all': same as t, except when the package has several signatures, in which case we verify all the signatures. You may probably automate it. It is in the Emacs Lisp manual: 41.4 Creating and Maintaining Package Archives ============================================== One way to increase the security of your packages is to “sign” them using a cryptographic key. If you have generated a private/public gpg key pair, you can use gpg to sign the package like this: gpg -ba -o FILE.sig FILE For a single-file package, FILE is the package Lisp file; for a multi-file package, it is the package tar file. You can also sign the archive’s contents file in the same way. Make the ‘.sig’ files available in the same location as the packages. You should also make your public key available for people to download; e.g., by uploading it to a key server such as . When people install packages from your archive, they can use your public key to verify the signatures. A full explanation of these matters is outside the scope of this manual. For more information on cryptographic keys and signing, *note GnuPG: (gnupg)Top. Emacs comes with an interface to GNU Privacy Guard, *note EasyPG: (epa)Top.