bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed

[Ted Zlatanov]

On Wed, 24 Sep 2014 11:05:31 -0400 Stefan Monnier <monnier@iro.umontreal.ca> 
wrote: 

>> Do you have a plan to start signing GNU ELPA packages so this can get
>> tested in a real network setup?

SM> GNU ELPA is now signed,

Thank you for working on this!

The docs should be updated:

@c Uncomment this if it becomes true.
@ignore
The public key for the GNU package archive is distributed with Emacs,
in the @file{etc/package-keyring.gpg}.  Emacs uses it automatically.
@end ignore

The ELPA maintainer public key .gpg file is needed. Right now I can't
find it so I can't actually verify any packages. Am I missing something?

Are there docs on the signing process? I don't see anything in the ELPA
repository under admin.

>From the code it seems the EPG glue written by Daiki Ueno expects the
keyring to live in `(expand-file-name "gnupg" package-user-dir)` which
implies we have to provide a way, on startup, to populate that keyring
if it's missing. I don't see any docs or functions to do that. It's not
terribly complicated, just `gpg --homedir DIRNAME --import KEY` but it
would be convenient for users if we provide a wrapper.

IMHO any archives that are signed but not the GNU ELPA should be able to
use this wrapper.  I hope you agree, it's just a matter of avoiding
hard-coding too much.

I also think that we should set `package-check-signature` aggressively
if we can verify a basic signature verification.  So maybe that wrapper
above can finish with a test run of GnuPG to ensure it will DTRT, and if
so, offer to customize and save `package-check-signature`.  I can
atttempt all of the above... do you agree with the workflow?

I am attaching a small patch to provide a "Verify" button in the package
description, so the user doesn't have to try install the package to find
out if it's signed.  If you agree, I can commit it.

Thanks
Ted

package-verify-button.patch
Description: Text Data