Re: Urgent matter with GNU ELPA keys

[Amin Bandali]

On 2019-02-11  4:27 PM, Andreas Schwab wrote:

[...]

> You can edit a key to extend its expiration date (if you have the secret
> key, of course).
>

Indeed.  One would do `gpg --edit-key <keyid>', then use `expire' to set
the expiry of the main key.  If there are any subkeys (which I don’t
think is the case here, but anyway), one can toggle their selection
using the `key <number>' command where <number> is the 1-based index of
the order in which the subkey appears.

If I understand correctly, package.el imports the key(s) from the
etc/package-keyring.gpg file shipped with Emacs as you mentioned.  So
the first step would indeed be updating that file to ship the key with
the extended expiry date for future releases.  As for users of current
versions, however, I’m not sure what would be the best way to proceed.
For users of current versions, at some point they would have to re-fetch
the key to have its expiry date updated.  We could instruct them to do
so by invoking gpg with the right options (for settings the correct gpg
home directory and the right keyring), but I’m guessing that would
require root access in most cases (since the shipped keyring file would
likely have been installed by a system package manager in a location
that cannot be written to by regular users)?

For future versions, though, I wonder if it’d be a good idea to add a
function in package.el to aid with re-fetching the key.  Though even
then we’d still have to think about the root access requirement issue
for updating the shipped keyring.