Re: [PATCH] package.el: check tarball signature

[Ted Zlatanov]

On Sat, 05 Oct 2013 10:09:25 +0300 Eli Zaretskii <address@hidden> wrote: 

>> From: Ted Zlatanov <address@hidden>
>> Date: Fri, 04 Oct 2013 17:14:44 -0400
>> 
>> >> Actually, let's wait.  If all turn out well, most/all ELPA archives will
>> >> start providing signatures in the not too distant future and there'll be
>> >> no need for per-archive settings (and we can change the default to t).
>> 
EZ> Are you saying that verification will not need gpg be installed?
>> 
>> If my work with libnettle progresses well, I think we'll be able to at
>> least verify GPG signatures without calling out to GnuPG or other tools
>> on all the platforms that have libnettle+libhogweed (any platforms with
>> GnuTLS support AFAIK).

EZ> And what about users whose Emacs doesn't have GnuTLS?  Are we saying
EZ> they will not be able to install packages from ELPA without being
EZ> annoyed by prompts and error messages?

No one has said that AFAIK.

My suggestion was to give users the choice (per archive) to always,
maybe, or never verify packages.  Currently this choice is global in
Daiki Ueno's changes that were committed recently, but it's still a
choice.

The signature verification method will be anything that can take a .sig
file and check that it's been signed by a maintainer's key, according to
the OpenPGP protocol in RFC 4880.  Daiki Ueno has implemented a
epg.el-backed verification method using calls to the external GnuPG that
works today.  I will (perhaps with others' help) try to implement a
libnettle+libhogweed-backed verification method that only requires those
libraries and makes no external calls.  I expect the user will be able
to decide which one to use, or even both if they wish.

Ted